On 5/22/19 9:34 AM, Sean Mullan wrote:
On 5/22/19 12:04 PM, Rajan Halade wrote:
On 5/22/19 8:39 AM, Sean Mullan wrote:
On 5/21/19 5:31 PM, Rajan Halade wrote:
Please review this fix to update test certificates used in Actalis
and Comodo CA interop tests. The bug also mentioned QuoVadisCA test
but I am not able to reproduce the failure. For Actalis CA, I
couldn't get revoked test certificate but the test is updated for
valid certificate and will pass now by skipping expired revoked chain.
It looks like the test is still expecting a revoked status - is that
still working because the IntCA is revoked?:
It is working because revoked certificate is expired, test is skipped
then.
Have you asked Actalis for a new revoked test certificate? If you
can't get one, I would remove the revoked certificates and the test
for it then, since you are not testing that behavior anymore and that
is not apparent from the test right now.
I will follow up with CA then and leave this bug open for now.
Also do you know why the revocation check for the intermediate CA is
not working?
Revocation check on intermediate CA is working fine. INT_REVOKED is a
good certificate, may name is misleading. INT_REVOKED here means that
this is a intermediate CA for revoked EE certificate.
Thanks,
Rajan
232 // Validate Revoked
233 pathValidator.validate(new String[]{REVOKED, INT_REVOKED},
234 ValidatePathWithParams.Status.REVOKED,
235 "Fri Jan 29 01:06:42 PST 2016", System.out);
236
It should be ok if the revoked certificate is expired though as you
can set the validation date to the past (within the interval where
the certificate is still valid).
Or is it because the Actalis OCSP responder is no longer reporting
that the certificate is revoked?
Earlier test had past validation with OCSP but for some time now OCSP
is returning UNKNOWN status instead of REVOKED. This could be an
issue depending on how implementation treats UNKNOWN status. We will
have to follow up with CA to check on policy - Is this only happening
because we are using test certificate or is it a policy?
It depends, if it is a TLS certificate then it is usually acceptable
to report the revoked certificate as UNKNOWN after it expires since
you should not be trusting expired TLS certificates. For a code
signing certificate, it is better to retain the REVOKED status for a
longer time period after it expires since it may still be in use (for
example, in a timestamped application).
--Sean
Thanks,
Rajan
--Sean
Webrev: http://cr.openjdk.java.net/~rhalade/8202651/webrev.00/
Bug: https://bugs.openjdk.java.net/browse/JDK-8202651
Thanks,
Rajan
