On Tue, 2 May 2023 20:36:57 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> The original R4 did not have the digitalSignature keyUsage set. This root
>> signs OCSP responses, so it needed to be reissued to comply with section
>> 7.1.2.1 of the CA/B Forum baseline requirements. The only change between the
>> two versions aside from the serial number is the addition of the
>> digitalSignature key usage bit.
>
> Thanks for the explanation. Please file a different issue for this change,
> since it is outside the scope of this issue, which is to specifically add new
> roots that have been approved by the Java SE CA Root Program processes.
> Updated roots, even for small changes such as this, should be handled and
> approved using an equivalent process.
Reverted src/java.base/share/data/cacerts/globalsigneccrootcar4 in this PR.
Looks like the update for "globalsigneccrootcar4 [jdk]" in
test/jdk/sun/security/lib/cacerts/VerifyCACerts.java also needs to be reverted,
otherwise the test fails with the following error. I'll go ahead and revert
that as well.
ERROR: wrong
checksum72:03:89:C2:7B:BF:87:87:E1:65:44:6E:43:5C:65:FF:B5:E8:F9:4C:8A:D1:63:6D:D1:91:4C:AD:1C:9A:CB:3B
Expected
checksum23:6E:7A:1C:37:AD:82:31:FD:32:E8:31:63:4B:1A:88:BA:1A:4D:F6:D3:91:CD:0F:B4:09:EC:55:9A:B2:01:51
ERROR: globalsigneccrootcar4 [jdk] SHA-256 fingerprint is incorrect
java.lang.RuntimeException: At least one cacert test failed
at VerifyCACerts.main(VerifyCACerts.java:380)
at
java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:578)
at
com.sun.javatest.regtest.agent.MainWrapper$MainTask.run(MainWrapper.java:138)
at java.base/java.lang.Thread.run(Thread.java:1592)
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13754#discussion_r1183055459
