8350498: Remove two Camerfirma root CA certificates

jdk/src/share/classes/sun/security/validator/CamerfirmaTLSPolicy.java

@@ -46,27 +46,14 @@ final class CamerfirmaTLSPolicy {
 
     private static final Debug debug = Debug.getInstance("certpath");
 
-    // SHA-256 certificate fingerprints of distrusted roots
-    private static final Set<String> FINGERPRINTS =
-            Collections.unmodifiableSet(new HashSet<>(Arrays.asList(
-        // cacerts alias: camerfirmachamberscommerceca
-        // DN: CN=Chambers of Commerce Root,
-        //     OU=http://www.chambersign.org,
-        //     O=AC Camerfirma SA CIF A82743287, C=EU
-        "0C258A12A5674AEF25F28BA7DCFAECEEA348E541E6F5CC4EE63B71B361606AC3",
-        // cacerts alias: camerfirmachambersca
-        // DN: CN=Chambers of Commerce Root - 2008,
-        //     O=AC Camerfirma S.A., SERIALNUMBER=A82743287,
-        //     L=Madrid (see current address at www.camerfirma.com/address),
-        //     C=EU
-        "063E4AFAC491DFD332F3089B8542E94617D893D7FE944E10A7937EE29D9693C0",
-        // cacerts alias: camerfirmachambersignca
-        // DN: CN=Global Chambersign Root - 2008,
-        //     O=AC Camerfirma S.A., SERIALNUMBER=A82743287,
-        //     L=Madrid (see current address at www.camerfirma.com/address),
-        //     C=EU
-        "136335439334A7698016A0D324DE72284E079D7B5220BB8FBD747816EEBEBACA"
-    )));
+    // SHA-256 certificate fingerprint of distrusted root for TLS
+    // cacerts alias: camerfirmachambersca
+    // DN: CN=Chambers of Commerce Root - 2008,
+    //     O=AC Camerfirma S.A., SERIALNUMBER=A82743287,
+    //     L=Madrid (see current address at www.camerfirma.com/address),
+    //     C=EU
+    private static final String FINGERPRINT =
+            "063E4AFAC491DFD332F3089B8542E94617D893D7FE944E10A7937EE29D9693C0";
 
     // Any TLS Server certificate that is anchored by one of the Camerfirma
     // roots above and is issued after this date will be distrusted.
@@ -89,7 +76,7 @@ static void checkDistrust(X509Certificate[] chain)
             throw new ValidatorException("Cannot generate fingerprint for "
                 + "trust anchor of TLS server certificate");
         }
-        if (FINGERPRINTS.contains(fp)) {
+        if (FINGERPRINT.equalsIgnoreCase(fp)) {
             Date notBefore = chain[0].getNotBefore();
             LocalDate ldNotBefore = notBefore.toInstant()
                     .atZone(ZoneOffset.UTC).toLocalDate();

jdk/test/sun/security/lib/cacerts/VerifyCACerts.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,7 +28,7 @@
  *      8223499 8225392 8232019 8234245 8233223 8225068 8225069 8243321 8243320
  *      8243559 8225072 8258630 8259312 8256421 8225081 8225082 8225083 8245654
  *      8305975 8304760 8307134 8295894 8314960 8317373 8317374 8318759 8319187
- *      8321408 8316138 8341057
+ *      8321408 8316138 8341057 8303770 8350498
  * @summary Check root CA entries in cacerts file
  */
 import java.io.ByteArrayInputStream;
@@ -54,12 +54,12 @@ public class VerifyCACerts {
             + File.separator + "security" + File.separator + "cacerts";
 
     // The numbers of certs now.
-    private static final int COUNT = 112;
+    private static final int COUNT = 109;
 
     // SHA-256 of cacerts, can be generated with
     // shasum -a 256 cacerts | sed -e 's/../&:/g' | tr '[:lower:]' '[:upper:]' | cut -c1-95
     private static final String CHECKSUM
-            = "8F:E0:6F:7F:21:59:33:A6:43:F3:48:FD:A3:4A:8E:28:35:AA:DD:6E:A5:43:56:F1:28:34:48:DF:5C:D2:7C:72";
+            = "07:21:E0:F8:EA:55:CC:93:24:2E:74:07:4B:6B:CE:F3:81:C3:BB:47:5B:85:A2:F1:9E:44:CD:C0:99:55:D7:5F";
 
     // map of cert alias to SHA-256 fingerprint
     @SuppressWarnings("serial")
@@ -74,10 +74,6 @@ public class VerifyCACerts {
                     "ED:F7:EB:BC:A2:7A:2A:38:4D:38:7B:7D:40:10:C6:66:E2:ED:B4:84:3E:4C:29:B4:AE:1D:5B:93:32:E6:B2:4D");
             put("camerfirmachambersca [jdk]",
                     "06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0");
-            put("camerfirmachambersignca [jdk]",
-                    "13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA");
-            put("camerfirmachamberscommerceca [jdk]",
-                    "0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3");
             put("certumca [jdk]",
                     "D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24");
             put("certumtrustednetworkca [jdk]",
@@ -100,8 +96,6 @@ public class VerifyCACerts {
                     "68:7F:A4:51:38:22:78:FF:F0:C8:B1:1F:8D:43:D5:76:67:1C:6E:B2:BC:EA:B4:13:FB:83:D9:65:D0:6D:2F:F2");
             put("addtrustqualifiedca [jdk]",
                     "80:95:21:08:05:DB:4B:BC:35:5E:44:28:D8:FD:6E:C2:CD:E3:AB:5F:B9:7A:99:42:98:8E:B8:F4:DC:D0:60:16");
-            put("baltimorecybertrustca [jdk]",
-                    "16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB");
             put("digicertglobalrootca [jdk]",
                     "43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61");
             put("digicertglobalrootg2 [jdk]",

jdk/test/sun/security/ssl/X509TrustManagerImpl/distrust/Camerfirma.java

@@ -21,17 +21,19 @@
  * questions.
  */
 
+import javax.net.ssl.X509TrustManager;
 import java.io.File;
 import java.security.Security;
-import java.time.*;
-import java.util.*;
-import javax.net.ssl.*;
+import java.time.LocalDate;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
+import java.util.Date;
 
-/**
+/*
  * @test
- * @bug 8346587
+ * @bug 8346587 8350498
  * @summary Check that TLS Server certificates chaining back to distrusted
- *          Camerfirma roots are invalid
+ *          Camerfirma root are invalid
  * @library /lib/security
  * @modules java.base/sun.security.validator
  * @run main/othervm Camerfirma after policyOn invalid
@@ -42,21 +44,19 @@
 
 public class Camerfirma {
 
-    private static final String certPath = "chains" + File.separator + "camerfirma";
+    private static final String CERT_PATH = "chains" + File.separator + "camerfirma";
 
     // Each of the roots have a test certificate chain stored in a file
     // named "<root>-chain.pem".
-    private static String[] rootsToTest = new String[] {
-            "camerfirmachamberscommerceca", "camerfirmachambersca",
-            "camerfirmachambersignca"};
+    private static final String ROOT_TO_TEST = "camerfirmachambersca";
 
     // Date after the restrictions take effect
     private static final ZonedDateTime DISTRUST_DATE =
             LocalDate.of(2025, 04, 16).atStartOfDay(ZoneOffset.UTC);
 
     public static void main(String[] args) throws Exception {
 
-        // All of the test certificates are signed with SHA-1 so we need
+        // All the test certificates are signed with SHA-1, so we need
         // to remove the constraint that disallows SHA-1 certificates.
         String prop = Security.getProperty("jdk.certpath.disabledAlgorithms");
         String newProp = prop.replace(", SHA1 jdkCA & usage TLSServer", "");
@@ -70,6 +70,6 @@ public static void main(String[] args) throws Exception {
         };
 
         Date notBefore = distrust.getNotBefore(DISTRUST_DATE);
-        distrust.testCertificateChain(certPath, notBefore, tms, rootsToTest);
+        distrust.testCertificateChain(CERT_PATH, notBefore, tms, ROOT_TO_TEST);
     }
 }