# HG changeset patch # User mullan # Date 1548167239 18000 # Node ID f443de1cee050554cda30a919a2416d905822a67 # Parent 1cde04cbcec6a79568e804af757e41b79b0caabf 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs Reviewed-by: coffeys diff -r 1cde04cbcec6 -r f443de1cee05 src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java --- a/src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java Tue Jan 22 10:25:22 2019 +0800 +++ b/src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java Tue Jan 22 09:27:19 2019 -0500 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -39,17 +39,19 @@ enum CADistrustPolicy { /** * Distrust TLS Server certificates anchored by a Symantec root CA and - * issued after April 16, 2019. If enabled, this policy is currently - * enforced by the PKIX and SunX509 TrustManager implementations of the - * SunJSSE provider implementation. + * issued after April 16, 2019 (with exceptions for a couple of subordinate + * CAs, see the jdk.security.caDistrustPolicies definition in the + * java.security file for more details). If enabled, this policy is + * currently enforced by the PKIX and SunX509 TrustManager implementations + * of the SunJSSE provider implementation. */ SYMANTEC_TLS { - void checkDistrust(String variant, X509Certificate anchor, - X509Certificate ee) throws ValidatorException { + void checkDistrust(String variant, X509Certificate[] chain) + throws ValidatorException { if (!variant.equals(Validator.VAR_TLS_SERVER)) { return; } - SymantecTLSPolicy.checkDistrust(anchor, ee); + SymantecTLSPolicy.checkDistrust(chain); } }; @@ -57,13 +59,13 @@ * Checks if the end-entity certificate is distrusted. * * @param variant the type of certificate being checked - * @param anchor the trust anchor certificate - * @param ee the end-entity certificate to check + * @param chain the end-entity's certificate chain. The end entity cert + * is at index 0, the trust anchor at index n-1. * @throws ValidatorException if the end-entity certificate is distrusted */ abstract void checkDistrust(String variant, - X509Certificate anchor, - X509Certificate ee) throws ValidatorException; + X509Certificate[] chain) + throws ValidatorException; // The policies set in the jdk.security.caDistrustPolicies property. static final EnumSet POLICIES = parseProperty(); diff -r 1cde04cbcec6 -r f443de1cee05 src/java.base/share/classes/sun/security/validator/EndEntityChecker.java --- a/src/java.base/share/classes/sun/security/validator/EndEntityChecker.java Tue Jan 22 10:25:22 2019 +0800 +++ b/src/java.base/share/classes/sun/security/validator/EndEntityChecker.java Tue Jan 22 09:27:19 2019 -0500 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -132,27 +132,26 @@ return new EndEntityChecker(type, variant); } - void check(X509Certificate cert, Object parameter, - boolean checkUnresolvedCritExts, X509Certificate anchor) - throws CertificateException { + void check(X509Certificate[] chain, Object parameter, + boolean checkUnresolvedCritExts) throws CertificateException { if (variant.equals(Validator.VAR_GENERIC)) { return; // no checks } - Set exts = getCriticalExtensions(cert); + Set exts = getCriticalExtensions(chain[0]); if (variant.equals(Validator.VAR_TLS_SERVER)) { - checkTLSServer(cert, (String)parameter, exts); + checkTLSServer(chain[0], (String)parameter, exts); } else if (variant.equals(Validator.VAR_TLS_CLIENT)) { - checkTLSClient(cert, exts); + checkTLSClient(chain[0], exts); } else if (variant.equals(Validator.VAR_CODE_SIGNING)) { - checkCodeSigning(cert, exts); + checkCodeSigning(chain[0], exts); } else if (variant.equals(Validator.VAR_JCE_SIGNING)) { - checkCodeSigning(cert, exts); + checkCodeSigning(chain[0], exts); } else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) { - checkCodeSigning(cert, exts); + checkCodeSigning(chain[0], exts); } else if (variant.equals(Validator.VAR_TSA_SERVER)) { - checkTSAServer(cert, exts); + checkTSAServer(chain[0], exts); } else { throw new CertificateException("Unknown variant: " + variant); } @@ -165,7 +164,7 @@ // check if certificate should be distrusted according to policies // set in the jdk.security.caDistrustPolicies security property for (CADistrustPolicy policy : CADistrustPolicy.POLICIES) { - policy.checkDistrust(variant, anchor, cert); + policy.checkDistrust(variant, chain); } } diff -r 1cde04cbcec6 -r f443de1cee05 src/java.base/share/classes/sun/security/validator/SymantecTLSPolicy.java --- a/src/java.base/share/classes/sun/security/validator/SymantecTLSPolicy.java Tue Jan 22 10:25:22 2019 +0800 +++ b/src/java.base/share/classes/sun/security/validator/SymantecTLSPolicy.java Tue Jan 22 09:27:19 2019 -0500 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,6 +29,7 @@ import java.time.Month; import java.time.ZoneOffset; import java.util.Date; +import java.util.Map; import java.util.Set; import sun.security.x509.X509CertImpl; @@ -119,6 +120,24 @@ "2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C" ); + private static final LocalDate DECEMBER_31_2019 = + LocalDate.of(2019, Month.DECEMBER, 31); + // SHA-256 certificate fingerprints of subCAs with later distrust dates + private static final Map EXEMPT_SUBCAS = Map.of( + // Subject DN: C=US, O=Apple Inc., OU=Certification Authority, + // CN=Apple IST CA 2 - G1 + // Issuer DN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US + "AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B", + DECEMBER_31_2019, + // Subject DN: C=US, O=Apple Inc., OU=Certification Authority, + // CN=Apple IST CA 8 - G1 + // Issuer DN: CN=GeoTrust Primary Certification Authority - G2, + // OU=(c) 2007 GeoTrust Inc. - For authorized use only, + // O=GeoTrust Inc., C=US + "A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED", + DECEMBER_31_2019 + ); + // Any TLS Server certificate that is anchored by one of the Symantec // roots above and is issued after this date will be distrusted. private static final LocalDate APRIL_16_2019 = @@ -128,28 +147,47 @@ * This method assumes the eeCert is a TLS Server Cert and chains back to * the anchor. * - * @param anchor the trust anchor certificate - * @param eeCert the certificate to check + * @param chain the end-entity's certificate chain. The end entity cert + * is at index 0, the trust anchor at index n-1. * @throws ValidatorException if the certificate is distrusted */ - static void checkDistrust(X509Certificate anchor, - X509Certificate eeCert) + static void checkDistrust(X509Certificate[] chain) throws ValidatorException { - String fp = (anchor instanceof X509CertImpl) - ? ((X509CertImpl)anchor).getFingerprint("SHA-256") - : X509CertImpl.getFingerprint("SHA-256", anchor); - if (FINGERPRINTS.contains(fp)) { - // reject if certificate is issued after April 16, 2019 - Date notBefore = eeCert.getNotBefore(); + X509Certificate anchor = chain[chain.length-1]; + if (FINGERPRINTS.contains(fingerprint(anchor))) { + Date notBefore = chain[0].getNotBefore(); LocalDate ldNotBefore = LocalDate.ofInstant(notBefore.toInstant(), ZoneOffset.UTC); - if (ldNotBefore.isAfter(APRIL_16_2019)) { - throw new ValidatorException - ("TLS Server certificate issued after " + APRIL_16_2019 + - " and anchored by a distrusted legacy Symantec root CA: " - + anchor.getSubjectX500Principal(), - ValidatorException.T_UNTRUSTED_CERT, anchor); + // check if chain goes through one of the subCAs + if (chain.length > 2) { + X509Certificate subCA = chain[chain.length-2]; + LocalDate distrustDate = EXEMPT_SUBCAS.get(fingerprint(subCA)); + if (distrustDate != null) { + // reject if certificate is issued after specified date + checkNotBefore(ldNotBefore, distrustDate, anchor); + return; // success + } } + // reject if certificate is issued after April 16, 2019 + checkNotBefore(ldNotBefore, APRIL_16_2019, anchor); + } + } + + private static String fingerprint(X509Certificate cert) { + return (cert instanceof X509CertImpl) + ? ((X509CertImpl)cert).getFingerprint("SHA-256") + : X509CertImpl.getFingerprint("SHA-256", cert); + } + + private static void checkNotBefore(LocalDate notBeforeDate, + LocalDate distrustDate, X509Certificate anchor) + throws ValidatorException { + if (notBeforeDate.isAfter(distrustDate)) { + throw new ValidatorException + ("TLS Server certificate issued after " + distrustDate + + " and anchored by a distrusted legacy Symantec root CA: " + + anchor.getSubjectX500Principal(), + ValidatorException.T_UNTRUSTED_CERT, anchor); } } diff -r 1cde04cbcec6 -r f443de1cee05 src/java.base/share/classes/sun/security/validator/Validator.java --- a/src/java.base/share/classes/sun/security/validator/Validator.java Tue Jan 22 10:25:22 2019 +0800 +++ b/src/java.base/share/classes/sun/security/validator/Validator.java Tue Jan 22 09:27:19 2019 -0500 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -274,9 +274,8 @@ // redundant. boolean checkUnresolvedCritExts = (type == TYPE_PKIX) ? false : true; - endEntityChecker.check(chain[0], parameter, - checkUnresolvedCritExts, - chain[chain.length-1]); + endEntityChecker.check(chain, parameter, + checkUnresolvedCritExts); } return chain; diff -r 1cde04cbcec6 -r f443de1cee05 src/java.base/share/conf/security/java.security --- a/src/java.base/share/conf/security/java.security Tue Jan 22 10:25:22 2019 +0800 +++ b/src/java.base/share/conf/security/java.security Tue Jan 22 09:27:19 2019 -0500 @@ -1167,8 +1167,15 @@ # of which represents a policy for determining if a CA should be distrusted. # The supported values are: # -# SYMANTEC_TLS : Distrust TLS Server certificates anchored by -# a Symantec root CA and issued after April 16, 2019. +# SYMANTEC_TLS : Distrust TLS Server certificates anchored by a Symantec +# root CA and issued after April 16, 2019 unless issued by one of the +# following subordinate CAs which have a later distrust date: +# 1. Apple IST CA 2 - G1, SHA-256 fingerprint: +# AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B +# Distrust after December 31, 2019. +# 2. Apple IST CA 8 - G1, SHA-256 fingerprint: +# A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED +# Distrust after December 31, 2019. # # Leading and trailing whitespace surrounding each value are ignored. # Unknown values are ignored. If the property is commented out or set to the diff -r 1cde04cbcec6 -r f443de1cee05 test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java --- a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java Tue Jan 22 10:25:22 2019 +0800 +++ b/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java Tue Jan 22 09:27:19 2019 -0500 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -35,13 +35,15 @@ /** * @test - * @bug 8207258 + * @bug 8207258 8216280 * @summary Check that TLS Server certificates chaining back to distrusted * Symantec roots are invalid * @library /test/lib * @modules java.base/sun.security.validator - * @run main/othervm Distrust true - * @run main/othervm Distrust false + * @run main/othervm Distrust after policyOn invalid + * @run main/othervm Distrust after policyOff valid + * @run main/othervm Distrust before policyOn valid + * @run main/othervm Distrust before policyOff valid */ public class Distrust { @@ -57,35 +59,67 @@ "thawteprimaryrootcag3", "verisignclass3g3ca", "verisignclass3g4ca", "verisignclass3g5ca", "verisignuniversalrootca" }; + // Each of the subCAs with a delayed distrust date have a test certificate + // chain stored in a file named "-chain.pem". + private static String[] subCAsToTest = new String[] { + "appleistca2g1", "appleistca8g1" }; + // A date that is after the restrictions take affect private static final Date APRIL_17_2019 = Date.from(LocalDate.of(2019, 4, 17) .atStartOfDay(ZoneOffset.UTC) .toInstant()); + // A date that is a second before the restrictions take affect + private static final Date BEFORE_APRIL_17_2019 = + Date.from(LocalDate.of(2019, 4, 17) + .atStartOfDay(ZoneOffset.UTC) + .minusSeconds(1) + .toInstant()); + + // A date that is after the subCA restrictions take affect + private static final Date JANUARY_1_2020 = + Date.from(LocalDate.of(2020, 1, 1) + .atStartOfDay(ZoneOffset.UTC) + .toInstant()); + + // A date that is a second before the subCA restrictions take affect + private static final Date BEFORE_JANUARY_1_2020 = + Date.from(LocalDate.of(2020, 1, 1) + .atStartOfDay(ZoneOffset.UTC) + .minusSeconds(1) + .toInstant()); + public static void main(String[] args) throws Exception { cf = CertificateFactory.getInstance("X.509"); - boolean distrust = args[0].equals("true"); - if (!distrust) { - // disable policy + + boolean before = args[0].equals("before"); + boolean policyOn = args[1].equals("policyOn"); + boolean isValid = args[2].equals("valid"); + + if (!policyOn) { + // disable policy (default is on) Security.setProperty("jdk.security.caDistrustPolicies", ""); } + Date notBefore = before ? BEFORE_APRIL_17_2019 : APRIL_17_2019; + X509TrustManager pkixTM = getTMF("PKIX", null); X509TrustManager sunX509TM = getTMF("SunX509", null); for (String test : rootsToTest) { System.err.println("Testing " + test); X509Certificate[] chain = loadCertificateChain(test); - testTM(sunX509TM, chain, !distrust); - testTM(pkixTM, chain, !distrust); + testTM(sunX509TM, chain, notBefore, isValid); + testTM(pkixTM, chain, notBefore, isValid); } // test chain if params are passed to TrustManager System.err.println("Testing verisignuniversalrootca with params"); testTM(getTMF("PKIX", getParams()), - loadCertificateChain("verisignuniversalrootca"), !distrust); + loadCertificateChain("verisignuniversalrootca"), + notBefore, isValid); // test code-signing chain (should be valid as restrictions don't apply) System.err.println("Testing verisignclass3g5ca code-signing chain"); @@ -95,6 +129,16 @@ // set validation date so this will still pass when cert expires v.setValidationDate(new Date(1544197375493l)); v.validate(loadCertificateChain("verisignclass3g5ca-codesigning")); + + // test chains issued through subCAs + notBefore = before ? BEFORE_JANUARY_1_2020 : JANUARY_1_2020; + for (String test : subCAsToTest) { + System.err.println("Testing " + test); + X509Certificate[] chain = loadCertificateChain(test); + + testTM(sunX509TM, chain, notBefore, isValid); + testTM(pkixTM, chain, notBefore, isValid); + } } private static X509TrustManager getTMF(String type, @@ -122,12 +166,13 @@ } private static void testTM(X509TrustManager xtm, X509Certificate[] chain, - boolean valid) throws Exception { + Date notBefore, boolean valid) throws Exception { // Check if TLS Server certificate (the first element of the chain) - // is issued after April 16, 2019 (should be rejected unless distrust - // property is false). To do this, we need to fake the notBefore date - // since none of the test certs are issued after then. - chain[0] = new DistrustedTLSServerCert(chain[0], APRIL_17_2019); + // is issued after the specified notBefore date (should be rejected + // unless distrust property is false). To do this, we need to + // fake the notBefore date since none of the test certs are issued + // after then. + chain[0] = new DistrustedTLSServerCert(chain[0], notBefore); try { xtm.checkServerTrusted(chain, "ECDHE_RSA"); diff -r 1cde04cbcec6 -r f443de1cee05 test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/appleistca2g1-chain.pem --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/appleistca2g1-chain.pem Tue Jan 22 09:27:19 2019 -0500 @@ -0,0 +1,80 @@ +-----BEGIN CERTIFICATE----- +MIIGGzCCBQOgAwIBAgIITJltLCqcD0gwDQYJKoZIhvcNAQELBQAwYjEcMBoGA1UE +AxMTQXBwbGUgSVNUIENBIDIgLSBHMTEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBB +dXRob3JpdHkxEzARBgNVBAoTCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE5 +MDEwODIxMTcxNFoXDTIwMDgwODIxMjcwMFowgaoxSjBIBgNVBAMMQWFjdGl2ZS5n +ZW90cnVzdC1nbG9iYWwtY2EudGVzdC1wYWdlcy5jZXJ0aWZpY2F0ZW1hbmFnZXIu +YXBwbGUuY29tMSUwIwYDVQQLDBxtYW5hZ2VtZW50OmlkbXMuZ3JvdXAuODY0ODU5 +MRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMQswCQYD +VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCjFUrVHTEX +0aVU6x9LiGa6oVr9blaCsMFrLicPQguc43Vs/pN+g4jzRXsTSMe9XefezBQb6tzZ +SMRXVB4kWMr4K1BVgQDkXeyoh4KrXRkdEF9ZIJPNxwTmmYUOc5M6NOYwkLelYz+t +7n1iNIGylbjwU4qwauElk2alFVqYTEPDLzwvqVDb9jMAJ8MPSDjfUlXW0XD9oXZM +hC+8LU9JBgJ3YBdzRHa4WnrudUbWjspqaNfAYpVIX0cfCJKnMsKqaSKjS4pIRtWm +L6NlCTCoIMyOh+wmbWPPX24H2D3+ump5FA35fRYbVznmosl5n1AK34S9tD4XZ7lO +WZKfaFi1liMCAwEAAaOCAoowggKGMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU +2HqURHyQcJAWnt0XnAFEA4bWKikwfgYIKwYBBQUHAQEEcjBwMDQGCCsGAQUFBzAC +hihodHRwOi8vY2VydHMuYXBwbGUuY29tL2FwcGxlaXN0Y2EyZzEuZGVyMDgGCCsG +AQUFBzABhixodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLWFwcGxlaXN0Y2Ey +ZzEwMTBMBgNVHREERTBDgkFhY3RpdmUuZ2VvdHJ1c3QtZ2xvYmFsLWNhLnRlc3Qt +cGFnZXMuY2VydGlmaWNhdGVtYW5hZ2VyLmFwcGxlLmNvbTCB/wYDVR0gBIH3MIH0 +MIHxBgoqhkiG92NkBQsEMIHiMIGkBggrBgEFBQcCAjCBlwyBlFJlbGlhbmNlIG9u +IHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5j +ZSBvZiBhbnkgYXBwbGljYWJsZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2Ug +YW5kL29yIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wOQYIKwYB +BQUHAgEWLWh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5 +L3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwNwYDVR0fBDAwLjAs +oCqgKIYmaHR0cDovL2NybC5hcHBsZS5jb20vYXBwbGVpc3RjYTJnMS5jcmwwHQYD +VR0OBBYEFP0qkmFJhArI0MsfW0V+/wY9x4GSMA4GA1UdDwEB/wQEAwIFoDANBgkq +hkiG9w0BAQsFAAOCAQEATjT8M0bIq+mFc8k5cd4KDjCMBjYl/l3/8zKlWYGP+nl1 +KRogXcGRa3LcfpdJcqgMrx8e9Xohduvl8MBzwv671rYkppzZdsmZdLVorAdbL5GL +suhTjAS5yL3NBWNMRpeOgFsVr7YtPDEvo3CFsnzjg7THe0S6Y35oYukJtUzGUvSY +kC3ApBTdjj0vAeow+dbt+AHKnQiEnon4ToSFmtnkru08Uxe7uyHCQ2sLUg0EPYc9 +t9I8lviaHfK/mQoCzlme2O/H5Rher8dXCv8hVT1NKbsi28EpgpqcTLS+hn/Edc/q +4dPDoO1Ozs+ixRzFeMpA+JrnAyARb6qbSrAPBgtIbQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEQDCCAyigAwIBAgIDAjp0MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT +MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i +YWwgQ0EwHhcNMTQwNjE2MTU0MjAyWhcNMjIwNTIwMTU0MjAyWjBiMRwwGgYDVQQD +ExNBcHBsZSBJU1QgQ0EgMiAtIEcxMSAwHgYDVQQLExdDZXJ0aWZpY2F0aW9uIEF1 +dGhvcml0eTETMBEGA1UEChMKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQk6EdR0MgFrILa+vD1bTox5jN896/ +6E3p4zaAB/xFG2p8RYauVtOkCX9hDWtdflJrfbTIOcT0Zzr3g84Zb4YvfkV+Rxxn +UsqVBV3iNlGFwNRngDVvFd0+/R3S/Y80UNjsdiq+49Pa5P3I6ygClhGXF2Ec6cRZ +O0LcMtEJHdqm0UOG/16yvIzPZtsBiwKulEjzOI/96jKoCOyGl1GUJD5JSZZT6Hmh +QIHpBbuTlVH84/18EUv3ngizFUkVB/nRN6CbSzL2tcTcatH8Cu324MUpoKiLcf4N +krz+VHAYCm3H7Qz7yS0Gw4yF/MuGXNY2jhKLCX/7GRo41fCUMHoPpozzAgMBAAGj +ggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4E +FgQU2HqURHyQcJAWnt0XnAFEA4bWKikwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV +HQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2cuc3ltY2IuY29t +L2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYS +aHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEG +CCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3Bz +MA0GCSqGSIb3DQEBCwUAA4IBAQAWR3NvhaJi4ecqdruJlUIml7xKrKxwUzo/MYM9 +PByrmuKxXRx2GqA8DHJXvtOeUODImdZY1wLqzg0pVHzN9cLGkClVo28UqAtCDTqY +bQZ4nvBqox0CCqIopI3CgUY+bWfa3j/+hQ5CKhLetbf7uBunlux3n+zUU5V6/wf0 +8goUwFFSsdaOUAsamVy8C8m97e34XsFW201+I6QRoSzUGwWa5BtS9nw4mQVLunKN +QolgBGYq9P1o12v3mUEo1mwkq+YlUy7Igpnioo8jvjCDsSeL+mh/AUnoxphrEC6Y +XorXykuxx8lYmtA225aV7LaB5PLNbxt5h0wQPInkTfpU3Kqm +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT +MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i +YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG +EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg +R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9 +9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq +fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv +iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU +1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+ +bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW +MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA +ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l +uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn +Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS +tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF +PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un +hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV +5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw== +-----END CERTIFICATE----- diff -r 1cde04cbcec6 -r f443de1cee05 test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/appleistca8g1-chain.pem --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/appleistca8g1-chain.pem Tue Jan 22 09:27:19 2019 -0500 @@ -0,0 +1,64 @@ +-----BEGIN CERTIFICATE----- +MIIElDCCBDqgAwIBAgIIWax3IY1ByGIwCgYIKoZIzj0EAwIwYjEcMBoGA1UEAwwT +QXBwbGUgSVNUIENBIDggLSBHMTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBBdXRo +b3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE5MDEw +ODIxMTAyNFoXDTIwMDgwODIxMjAwMFowga0xTTBLBgNVBAMMRGFjdGl2ZS5nZW90 +cnVzdC1nbG9iYWwtY2EtZzIudGVzdC1wYWdlcy5jZXJ0aWZpY2F0ZW1hbmFnZXIu +YXBwbGUuY29tMSUwIwYDVQQLDBxtYW5hZ2VtZW50OmlkbXMuZ3JvdXAuODY0ODU5 +MRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMQswCQYD +VQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN4oxNLGzmOIfgFRxDaU +SaOYTQVZCc7a7MXlK1L4/KgN22stgSkrg47aOWviMuzb9Q9hDA/Tn19o9Zr8G5ON +pYijggKMMIICiDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMPEpFgFY9eDBrqW +jdyyjzL2u7dBMH4GCCsGAQUFBwEBBHIwcDA0BggrBgEFBQcwAoYoaHR0cDovL2Nl +cnRzLmFwcGxlLmNvbS9hcHBsZWlzdGNhOGcxLmRlcjA4BggrBgEFBQcwAYYsaHR0 +cDovL29jc3AuYXBwbGUuY29tL29jc3AwMy1hcHBsZWlzdGNhOGcxMDEwTwYDVR0R +BEgwRoJEYWN0aXZlLmdlb3RydXN0LWdsb2JhbC1jYS1nMi50ZXN0LXBhZ2VzLmNl +cnRpZmljYXRlbWFuYWdlci5hcHBsZS5jb20wgf4GA1UdIASB9jCB8zCB8AYKKoZI +hvdjZAULBDCB4TCBpAYIKwYBBQUHAgIwgZcMgZRSZWxpYW5jZSBvbiB0aGlzIGNl +cnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgYW55 +IGFwcGxpY2FibGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlIGFuZC9vciBj +ZXJ0aWZpY2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMDgGCCsGAQUFBwICMCwM +Kmh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5LzAdBgNV +HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwNwYDVR0fBDAwLjAsoCqgKIYmaHR0 +cDovL2NybC5hcHBsZS5jb20vYXBwbGVpc3RjYThnMS5jcmwwHQYDVR0OBBYEFCQy +hU8U00tcIz6L0MCT6EGVho0EMA4GA1UdDwEB/wQEAwIDiDAKBggqhkjOPQQDAgNI +ADBFAiAl5nGHi2u8V0aJSp4o1i3TlK7ao8WvxwBuHKfuKibSLAIhAN8PZqhESS9u +V7Dr6qzs88yn/1z6oeqPwDsntFpUFtWG +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDVDCCAtugAwIBAgIQE1Iuv8HdXOEe8nZAdR/n3zAKBggqhkjOPQQDAzCBmDEL +MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChj +KSAyMDA3IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2 +MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 +eSAtIEcyMB4XDTE2MDYwOTAwMDAwMFoXDTMxMDYwODIzNTk1OVowYjEcMBoGA1UE +AwwTQXBwbGUgSVNUIENBIDggLSBHMTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBB +dXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYH +KoZIzj0CAQYIKoZIzj0DAQcDQgAELVSOaLAQE+/0LdvYCbJD6J1lmW40uNSXyY7J +1qgiNzLIcWDusPHyxWT2ukdf/OYHeDIt9sqAIMn9cPhykyGIRaOCATowggE2MBIG +A1UdEwEB/wQIMAYBAf8CAQAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2cuc3lt +Y2IuY29tL0dlb1RydXN0UENBLUcyLmNybDAOBgNVHQ8BAf8EBAMCAQYwLgYIKwYB +BQUHAQEEIjAgMB4GCCsGAQUFBzABhhJodHRwOi8vZy5zeW1jZC5jb20wSQYDVR0g +BEIwQDA+BgZngQwBAgIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2VvdHJ1 +c3QuY29tL3Jlc291cmNlcy9jcHMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF +BwMCMB0GA1UdDgQWBBTDxKRYBWPXgwa6lo3cso8y9ru3QTAfBgNVHSMEGDAWgBQV +XzVXUVX7JbKtA2n8AaP6vhFV1TAKBggqhkjOPQQDAwNnADBkAjBH2jMNybjCk3Ts +OidXxJX9YDPMd5S3KDCv8vyTdJGhtoly7fQJRNv5rnVz+6YGfsMCMEp6wyheL7NK +mqavsduix2R+j1B3wRjelzJYgXzgM3nwhQKKlJWxpF7IGHuva1taxg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICrjCCAjWgAwIBAgIQPLL0SAoA4v7rJDteYD7DazAKBggqhkjOPQQDAzCBmDEL +MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChj +KSAyMDA3IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2 +MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 +eSAtIEcyMB4XDTA3MTEwNTAwMDAwMFoXDTM4MDExODIzNTk1OVowgZgxCzAJBgNV +BAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykgMjAw +NyBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNV +BAMTLUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH +MjB2MBAGByqGSM49AgEGBSuBBAAiA2IABBWx6P0DFUPlrOuHNxFi79KDNlJ9RVcL +So17VDs6bl8VAsBQps8lL33KSLjHUGMcKiEIfJo22Av+0SbFWDEwKCXzXV2juLal +tJLtbCyf691DiaI8S0iRHVDsJt/WYC69IaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBVfNVdRVfslsq0DafwBo/q+EVXVMAoG +CCqGSM49BAMDA2cAMGQCMGSWWaboCd6LuvpaiIjwH5HTRqjySkwCY/tsXzjbLkGT +qQ7mndwxHLKgpxgceeHHNgIwOlavmnRs9vuD4DPTCF+hnMJbn0bWtsuRBmOiBucz +rD6ogRLQy7rQkgu2npaqBA+K +-----END CERTIFICATE-----