[8u] Request for enhancement backport approval for CR 8207258- Distrust TLS server certificates anchored by Symantec Root CAs

Liu, Xin xxinliu at amazon.com
Tue Feb 26 18:04:20 UTC 2019

Hi, Andrew and Aleksey, 

Thanks for catch up these. I will modify it.  I didn't know jcheck. I will set it up and put it in our CI.
For this change,  http://cr.openjdk.java.net/~phh/8207258/webrev.8u.00/test/lib/security/CheckBlacklistedCerts.java.udiff.html
It's because newly introduced SecurityUtils::getCacertsKeyStore() can simplify original code. Further, original code defines fis but never use it. 
When I backport , I always wonder if I shall keep backport patch as intact as possible or piggyback tide-up code?


On 2/26/19, 9:45 AM, "Andrew Hughes" <gnu.andrew at redhat.com> wrote:

    > *) Indenting in SymantecTLSPolicy.java seems off at L193-195. Also superfluous newline at L196.
    >  190         if (notBeforeDate.isAfter(distrustDate)) {
    >  191             throw new ValidatorException
    >  192                     ("TLS Server certificate issued after " + distrustDate +
    >  193                             " and anchored by a distrusted legacy Symantec root CA: "
    >  194                             + anchor.getSubjectX500Principal(),
    >  195                             ValidatorException.T_UNTRUSTED_CERT, anchor);
    >  196
    >  197         }
    > Seems fine otherwise.
    > -Aleksey
    I presume you're all running jcheck locally? It tends to catch some of
    this stuff at commit
    that will otherwise fail to push.
    Andrew :)
    Senior Free Java Software Engineer
    Red Hat, Inc. (http://www.redhat.com)
    Web Site: http://fuseyism.com
    Twitter: https://twitter.com/gnu_andrew_java
    PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
    Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

More information about the jdk8u-dev mailing list