On Wed, 31 May 2023 22:46:53 GMT, Rajan Halade <rhal...@openjdk.org> wrote:
>> The new approach uses test URLs directly to verify interoperability with CA
>> infrastructure. This would help us avoid having regular test fixes to update
>> test artifacts as long as CAs keep test domains up to date.
>
> Rajan Halade has updated the pull request incrementally with one additional
> commit since the last revision:
>
> 8308592: remove unused imports
test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java
line 40:
> 38: * @library /test/lib
> 39: * @build jtreg.SkippedException
> 40: * @build ValidatePathWithURL
You could include these on one @build line.
test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithURL.java
line 62:
> 60: public static void enableOCSPOnly() {
> 61: System.setProperty("com.sun.security.enableCRLDP", "false");
> 62: Security.setProperty("ocsp.enable", "true");
Technically I think you could avoid setting these properties (and running in
othervm mode) and instead init your `SSLContext` with a `TrustManager` and a
`CertPathTrustManagerParameters` containing a `PKIXParameters` with a
`PKIXRevocationChecker` configured with the desired revocation settings.
However, AFAIK, you can't pass in an `SSLContext` via the `HttpsURLConnection`
API, so you would need to use `HttpsClient` instead (which is only available in
Java 11 and up). However, I think this is something to consider as a future
enhancement, as you have more control over the various TLS settings.
test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithURL.java
line 99:
> 97: // certain that test certificate anchors to trusted CA for
> VALID certificate
> 98: // if the connection is successful
> 99: Certificate[] chain =
> httpsURLConnection.getServerCertificates();
Mostly FYI - but another way to get the chain is to call the `getCertPath()`
method of the thrown `CertPathValidatorException`. This doesn't include the
root though.
test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithURL.java
line 109:
> 107: System.out.println("Finding intermediate certificate
> issued by CA");
> 108: for (Certificate cert: chain){
> 109: if(cert instanceof X509Certificate certificate) {
Nit: space after `if`.
test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithURL.java
line 158:
> 156: throw new SkippedException("Network setup issue, skip this
> test", e);
> 157: } finally {
> 158: if(httpsURLConnection != null) {
Nit: space after `if`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/14252#discussion_r1213598274
PR Review Comment: https://git.openjdk.org/jdk/pull/14252#discussion_r1213621334
PR Review Comment: https://git.openjdk.org/jdk/pull/14252#discussion_r1213634860
PR Review Comment: https://git.openjdk.org/jdk/pull/14252#discussion_r1213635463
PR Review Comment: https://git.openjdk.org/jdk/pull/14252#discussion_r1213636840
