8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
Reviewed-by: coffeys
--- a/src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java Tue Jan 22 10:25:22 2019 +0800
+++ b/src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java Tue Jan 22 09:27:19 2019 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -39,17 +39,19 @@
enum CADistrustPolicy {
/**
* Distrust TLS Server certificates anchored by a Symantec root CA and
- * issued after April 16, 2019. If enabled, this policy is currently
- * enforced by the PKIX and SunX509 TrustManager implementations of the
- * SunJSSE provider implementation.
+ * issued after April 16, 2019 (with exceptions for a couple of subordinate
+ * CAs, see the jdk.security.caDistrustPolicies definition in the
+ * java.security file for more details). If enabled, this policy is
+ * currently enforced by the PKIX and SunX509 TrustManager implementations
+ * of the SunJSSE provider implementation.
*/
SYMANTEC_TLS {
- void checkDistrust(String variant, X509Certificate anchor,
- X509Certificate ee) throws ValidatorException {
+ void checkDistrust(String variant, X509Certificate[] chain)
+ throws ValidatorException {
if (!variant.equals(Validator.VAR_TLS_SERVER)) {
return;
}
- SymantecTLSPolicy.checkDistrust(anchor, ee);
+ SymantecTLSPolicy.checkDistrust(chain);
}
};
@@ -57,13 +59,13 @@
* Checks if the end-entity certificate is distrusted.
*
* @param variant the type of certificate being checked
- * @param anchor the trust anchor certificate
- * @param ee the end-entity certificate to check
+ * @param chain the end-entity's certificate chain. The end entity cert
+ * is at index 0, the trust anchor at index n-1.
* @throws ValidatorException if the end-entity certificate is distrusted
*/
abstract void checkDistrust(String variant,
- X509Certificate anchor,
- X509Certificate ee) throws ValidatorException;
+ X509Certificate[] chain)
+ throws ValidatorException;
// The policies set in the jdk.security.caDistrustPolicies property.
static final EnumSet<CADistrustPolicy> POLICIES = parseProperty();
--- a/src/java.base/share/classes/sun/security/validator/EndEntityChecker.java Tue Jan 22 10:25:22 2019 +0800
+++ b/src/java.base/share/classes/sun/security/validator/EndEntityChecker.java Tue Jan 22 09:27:19 2019 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -132,27 +132,26 @@
return new EndEntityChecker(type, variant);
}
- void check(X509Certificate cert, Object parameter,
- boolean checkUnresolvedCritExts, X509Certificate anchor)
- throws CertificateException {
+ void check(X509Certificate[] chain, Object parameter,
+ boolean checkUnresolvedCritExts) throws CertificateException {
if (variant.equals(Validator.VAR_GENERIC)) {
return; // no checks
}
- Set<String> exts = getCriticalExtensions(cert);
+ Set<String> exts = getCriticalExtensions(chain[0]);
if (variant.equals(Validator.VAR_TLS_SERVER)) {
- checkTLSServer(cert, (String)parameter, exts);
+ checkTLSServer(chain[0], (String)parameter, exts);
} else if (variant.equals(Validator.VAR_TLS_CLIENT)) {
- checkTLSClient(cert, exts);
+ checkTLSClient(chain[0], exts);
} else if (variant.equals(Validator.VAR_CODE_SIGNING)) {
- checkCodeSigning(cert, exts);
+ checkCodeSigning(chain[0], exts);
} else if (variant.equals(Validator.VAR_JCE_SIGNING)) {
- checkCodeSigning(cert, exts);
+ checkCodeSigning(chain[0], exts);
} else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) {
- checkCodeSigning(cert, exts);
+ checkCodeSigning(chain[0], exts);
} else if (variant.equals(Validator.VAR_TSA_SERVER)) {
- checkTSAServer(cert, exts);
+ checkTSAServer(chain[0], exts);
} else {
throw new CertificateException("Unknown variant: " + variant);
}
@@ -165,7 +164,7 @@
// check if certificate should be distrusted according to policies
// set in the jdk.security.caDistrustPolicies security property
for (CADistrustPolicy policy : CADistrustPolicy.POLICIES) {
- policy.checkDistrust(variant, anchor, cert);
+ policy.checkDistrust(variant, chain);
}
}
--- a/src/java.base/share/classes/sun/security/validator/SymantecTLSPolicy.java Tue Jan 22 10:25:22 2019 +0800
+++ b/src/java.base/share/classes/sun/security/validator/SymantecTLSPolicy.java Tue Jan 22 09:27:19 2019 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@
import java.time.Month;
import java.time.ZoneOffset;
import java.util.Date;
+import java.util.Map;
import java.util.Set;
import sun.security.x509.X509CertImpl;
@@ -119,6 +120,24 @@
"2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C"
);
+ private static final LocalDate DECEMBER_31_2019 =
+ LocalDate.of(2019, Month.DECEMBER, 31);
+ // SHA-256 certificate fingerprints of subCAs with later distrust dates
+ private static final Map<String, LocalDate> EXEMPT_SUBCAS = Map.of(
+ // Subject DN: C=US, O=Apple Inc., OU=Certification Authority,
+ // CN=Apple IST CA 2 - G1
+ // Issuer DN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
+ "AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B",
+ DECEMBER_31_2019,
+ // Subject DN: C=US, O=Apple Inc., OU=Certification Authority,
+ // CN=Apple IST CA 8 - G1
+ // Issuer DN: CN=GeoTrust Primary Certification Authority - G2,
+ // OU=(c) 2007 GeoTrust Inc. - For authorized use only,
+ // O=GeoTrust Inc., C=US
+ "A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED",
+ DECEMBER_31_2019
+ );
+
// Any TLS Server certificate that is anchored by one of the Symantec
// roots above and is issued after this date will be distrusted.
private static final LocalDate APRIL_16_2019 =
@@ -128,28 +147,47 @@
* This method assumes the eeCert is a TLS Server Cert and chains back to
* the anchor.
*
- * @param anchor the trust anchor certificate
- * @param eeCert the certificate to check
+ * @param chain the end-entity's certificate chain. The end entity cert
+ * is at index 0, the trust anchor at index n-1.
* @throws ValidatorException if the certificate is distrusted
*/
- static void checkDistrust(X509Certificate anchor,
- X509Certificate eeCert)
+ static void checkDistrust(X509Certificate[] chain)
throws ValidatorException {
- String fp = (anchor instanceof X509CertImpl)
- ? ((X509CertImpl)anchor).getFingerprint("SHA-256")
- : X509CertImpl.getFingerprint("SHA-256", anchor);
- if (FINGERPRINTS.contains(fp)) {
- // reject if certificate is issued after April 16, 2019
- Date notBefore = eeCert.getNotBefore();
+ X509Certificate anchor = chain[chain.length-1];
+ if (FINGERPRINTS.contains(fingerprint(anchor))) {
+ Date notBefore = chain[0].getNotBefore();
LocalDate ldNotBefore = LocalDate.ofInstant(notBefore.toInstant(),
ZoneOffset.UTC);
- if (ldNotBefore.isAfter(APRIL_16_2019)) {
- throw new ValidatorException
- ("TLS Server certificate issued after " + APRIL_16_2019 +
- " and anchored by a distrusted legacy Symantec root CA: "
- + anchor.getSubjectX500Principal(),
- ValidatorException.T_UNTRUSTED_CERT, anchor);
+ // check if chain goes through one of the subCAs
+ if (chain.length > 2) {
+ X509Certificate subCA = chain[chain.length-2];
+ LocalDate distrustDate = EXEMPT_SUBCAS.get(fingerprint(subCA));
+ if (distrustDate != null) {
+ // reject if certificate is issued after specified date
+ checkNotBefore(ldNotBefore, distrustDate, anchor);
+ return; // success
+ }
}
+ // reject if certificate is issued after April 16, 2019
+ checkNotBefore(ldNotBefore, APRIL_16_2019, anchor);
+ }
+ }
+
+ private static String fingerprint(X509Certificate cert) {
+ return (cert instanceof X509CertImpl)
+ ? ((X509CertImpl)cert).getFingerprint("SHA-256")
+ : X509CertImpl.getFingerprint("SHA-256", cert);
+ }
+
+ private static void checkNotBefore(LocalDate notBeforeDate,
+ LocalDate distrustDate, X509Certificate anchor)
+ throws ValidatorException {
+ if (notBeforeDate.isAfter(distrustDate)) {
+ throw new ValidatorException
+ ("TLS Server certificate issued after " + distrustDate +
+ " and anchored by a distrusted legacy Symantec root CA: "
+ + anchor.getSubjectX500Principal(),
+ ValidatorException.T_UNTRUSTED_CERT, anchor);
}
}
--- a/src/java.base/share/classes/sun/security/validator/Validator.java Tue Jan 22 10:25:22 2019 +0800
+++ b/src/java.base/share/classes/sun/security/validator/Validator.java Tue Jan 22 09:27:19 2019 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -274,9 +274,8 @@
// redundant.
boolean checkUnresolvedCritExts =
(type == TYPE_PKIX) ? false : true;
- endEntityChecker.check(chain[0], parameter,
- checkUnresolvedCritExts,
- chain[chain.length-1]);
+ endEntityChecker.check(chain, parameter,
+ checkUnresolvedCritExts);
}
return chain;
--- a/src/java.base/share/conf/security/java.security Tue Jan 22 10:25:22 2019 +0800
+++ b/src/java.base/share/conf/security/java.security Tue Jan 22 09:27:19 2019 -0500
@@ -1167,8 +1167,15 @@
# of which represents a policy for determining if a CA should be distrusted.
# The supported values are:
#
-# SYMANTEC_TLS : Distrust TLS Server certificates anchored by
-# a Symantec root CA and issued after April 16, 2019.
+# SYMANTEC_TLS : Distrust TLS Server certificates anchored by a Symantec
+# root CA and issued after April 16, 2019 unless issued by one of the
+# following subordinate CAs which have a later distrust date:
+# 1. Apple IST CA 2 - G1, SHA-256 fingerprint:
+# AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B
+# Distrust after December 31, 2019.
+# 2. Apple IST CA 8 - G1, SHA-256 fingerprint:
+# A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED
+# Distrust after December 31, 2019.
#
# Leading and trailing whitespace surrounding each value are ignored.
# Unknown values are ignored. If the property is commented out or set to the
--- a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java Tue Jan 22 10:25:22 2019 +0800
+++ b/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java Tue Jan 22 09:27:19 2019 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -35,13 +35,15 @@
/**
* @test
- * @bug 8207258
+ * @bug 8207258 8216280
* @summary Check that TLS Server certificates chaining back to distrusted
* Symantec roots are invalid
* @library /test/lib
* @modules java.base/sun.security.validator
- * @run main/othervm Distrust true
- * @run main/othervm Distrust false
+ * @run main/othervm Distrust after policyOn invalid
+ * @run main/othervm Distrust after policyOff valid
+ * @run main/othervm Distrust before policyOn valid
+ * @run main/othervm Distrust before policyOff valid
*/
public class Distrust {
@@ -57,35 +59,67 @@
"thawteprimaryrootcag3", "verisignclass3g3ca", "verisignclass3g4ca",
"verisignclass3g5ca", "verisignuniversalrootca" };
+ // Each of the subCAs with a delayed distrust date have a test certificate
+ // chain stored in a file named "<subCA>-chain.pem".
+ private static String[] subCAsToTest = new String[] {
+ "appleistca2g1", "appleistca8g1" };
+
// A date that is after the restrictions take affect
private static final Date APRIL_17_2019 =
Date.from(LocalDate.of(2019, 4, 17)
.atStartOfDay(ZoneOffset.UTC)
.toInstant());
+ // A date that is a second before the restrictions take affect
+ private static final Date BEFORE_APRIL_17_2019 =
+ Date.from(LocalDate.of(2019, 4, 17)
+ .atStartOfDay(ZoneOffset.UTC)
+ .minusSeconds(1)
+ .toInstant());
+
+ // A date that is after the subCA restrictions take affect
+ private static final Date JANUARY_1_2020 =
+ Date.from(LocalDate.of(2020, 1, 1)
+ .atStartOfDay(ZoneOffset.UTC)
+ .toInstant());
+
+ // A date that is a second before the subCA restrictions take affect
+ private static final Date BEFORE_JANUARY_1_2020 =
+ Date.from(LocalDate.of(2020, 1, 1)
+ .atStartOfDay(ZoneOffset.UTC)
+ .minusSeconds(1)
+ .toInstant());
+
public static void main(String[] args) throws Exception {
cf = CertificateFactory.getInstance("X.509");
- boolean distrust = args[0].equals("true");
- if (!distrust) {
- // disable policy
+
+ boolean before = args[0].equals("before");
+ boolean policyOn = args[1].equals("policyOn");
+ boolean isValid = args[2].equals("valid");
+
+ if (!policyOn) {
+ // disable policy (default is on)
Security.setProperty("jdk.security.caDistrustPolicies", "");
}
+ Date notBefore = before ? BEFORE_APRIL_17_2019 : APRIL_17_2019;
+
X509TrustManager pkixTM = getTMF("PKIX", null);
X509TrustManager sunX509TM = getTMF("SunX509", null);
for (String test : rootsToTest) {
System.err.println("Testing " + test);
X509Certificate[] chain = loadCertificateChain(test);
- testTM(sunX509TM, chain, !distrust);
- testTM(pkixTM, chain, !distrust);
+ testTM(sunX509TM, chain, notBefore, isValid);
+ testTM(pkixTM, chain, notBefore, isValid);
}
// test chain if params are passed to TrustManager
System.err.println("Testing verisignuniversalrootca with params");
testTM(getTMF("PKIX", getParams()),
- loadCertificateChain("verisignuniversalrootca"), !distrust);
+ loadCertificateChain("verisignuniversalrootca"),
+ notBefore, isValid);
// test code-signing chain (should be valid as restrictions don't apply)
System.err.println("Testing verisignclass3g5ca code-signing chain");
@@ -95,6 +129,16 @@
// set validation date so this will still pass when cert expires
v.setValidationDate(new Date(1544197375493l));
v.validate(loadCertificateChain("verisignclass3g5ca-codesigning"));
+
+ // test chains issued through subCAs
+ notBefore = before ? BEFORE_JANUARY_1_2020 : JANUARY_1_2020;
+ for (String test : subCAsToTest) {
+ System.err.println("Testing " + test);
+ X509Certificate[] chain = loadCertificateChain(test);
+
+ testTM(sunX509TM, chain, notBefore, isValid);
+ testTM(pkixTM, chain, notBefore, isValid);
+ }
}
private static X509TrustManager getTMF(String type,
@@ -122,12 +166,13 @@
}
private static void testTM(X509TrustManager xtm, X509Certificate[] chain,
- boolean valid) throws Exception {
+ Date notBefore, boolean valid) throws Exception {
// Check if TLS Server certificate (the first element of the chain)
- // is issued after April 16, 2019 (should be rejected unless distrust
- // property is false). To do this, we need to fake the notBefore date
- // since none of the test certs are issued after then.
- chain[0] = new DistrustedTLSServerCert(chain[0], APRIL_17_2019);
+ // is issued after the specified notBefore date (should be rejected
+ // unless distrust property is false). To do this, we need to
+ // fake the notBefore date since none of the test certs are issued
+ // after then.
+ chain[0] = new DistrustedTLSServerCert(chain[0], notBefore);
try {
xtm.checkServerTrusted(chain, "ECDHE_RSA");
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/appleistca2g1-chain.pem Tue Jan 22 09:27:19 2019 -0500
@@ -0,0 +1,80 @@
+-----BEGIN CERTIFICATE-----
+MIIGGzCCBQOgAwIBAgIITJltLCqcD0gwDQYJKoZIhvcNAQELBQAwYjEcMBoGA1UE
+AxMTQXBwbGUgSVNUIENBIDIgLSBHMTEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBB
+dXRob3JpdHkxEzARBgNVBAoTCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE5
+MDEwODIxMTcxNFoXDTIwMDgwODIxMjcwMFowgaoxSjBIBgNVBAMMQWFjdGl2ZS5n
+ZW90cnVzdC1nbG9iYWwtY2EudGVzdC1wYWdlcy5jZXJ0aWZpY2F0ZW1hbmFnZXIu
+YXBwbGUuY29tMSUwIwYDVQQLDBxtYW5hZ2VtZW50OmlkbXMuZ3JvdXAuODY0ODU5
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMQswCQYD
+VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCjFUrVHTEX
+0aVU6x9LiGa6oVr9blaCsMFrLicPQguc43Vs/pN+g4jzRXsTSMe9XefezBQb6tzZ
+SMRXVB4kWMr4K1BVgQDkXeyoh4KrXRkdEF9ZIJPNxwTmmYUOc5M6NOYwkLelYz+t
+7n1iNIGylbjwU4qwauElk2alFVqYTEPDLzwvqVDb9jMAJ8MPSDjfUlXW0XD9oXZM
+hC+8LU9JBgJ3YBdzRHa4WnrudUbWjspqaNfAYpVIX0cfCJKnMsKqaSKjS4pIRtWm
+L6NlCTCoIMyOh+wmbWPPX24H2D3+ump5FA35fRYbVznmosl5n1AK34S9tD4XZ7lO
+WZKfaFi1liMCAwEAAaOCAoowggKGMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU
+2HqURHyQcJAWnt0XnAFEA4bWKikwfgYIKwYBBQUHAQEEcjBwMDQGCCsGAQUFBzAC
+hihodHRwOi8vY2VydHMuYXBwbGUuY29tL2FwcGxlaXN0Y2EyZzEuZGVyMDgGCCsG
+AQUFBzABhixodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLWFwcGxlaXN0Y2Ey
+ZzEwMTBMBgNVHREERTBDgkFhY3RpdmUuZ2VvdHJ1c3QtZ2xvYmFsLWNhLnRlc3Qt
+cGFnZXMuY2VydGlmaWNhdGVtYW5hZ2VyLmFwcGxlLmNvbTCB/wYDVR0gBIH3MIH0
+MIHxBgoqhkiG92NkBQsEMIHiMIGkBggrBgEFBQcCAjCBlwyBlFJlbGlhbmNlIG9u
+IHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5j
+ZSBvZiBhbnkgYXBwbGljYWJsZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2Ug
+YW5kL29yIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wOQYIKwYB
+BQUHAgEWLWh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5
+L3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwNwYDVR0fBDAwLjAs
+oCqgKIYmaHR0cDovL2NybC5hcHBsZS5jb20vYXBwbGVpc3RjYTJnMS5jcmwwHQYD
+VR0OBBYEFP0qkmFJhArI0MsfW0V+/wY9x4GSMA4GA1UdDwEB/wQEAwIFoDANBgkq
+hkiG9w0BAQsFAAOCAQEATjT8M0bIq+mFc8k5cd4KDjCMBjYl/l3/8zKlWYGP+nl1
+KRogXcGRa3LcfpdJcqgMrx8e9Xohduvl8MBzwv671rYkppzZdsmZdLVorAdbL5GL
+suhTjAS5yL3NBWNMRpeOgFsVr7YtPDEvo3CFsnzjg7THe0S6Y35oYukJtUzGUvSY
+kC3ApBTdjj0vAeow+dbt+AHKnQiEnon4ToSFmtnkru08Uxe7uyHCQ2sLUg0EPYc9
+t9I8lviaHfK/mQoCzlme2O/H5Rher8dXCv8hVT1NKbsi28EpgpqcTLS+hn/Edc/q
+4dPDoO1Ozs+ixRzFeMpA+JrnAyARb6qbSrAPBgtIbQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEQDCCAyigAwIBAgIDAjp0MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
+MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
+YWwgQ0EwHhcNMTQwNjE2MTU0MjAyWhcNMjIwNTIwMTU0MjAyWjBiMRwwGgYDVQQD
+ExNBcHBsZSBJU1QgQ0EgMiAtIEcxMSAwHgYDVQQLExdDZXJ0aWZpY2F0aW9uIEF1
+dGhvcml0eTETMBEGA1UEChMKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQk6EdR0MgFrILa+vD1bTox5jN896/
+6E3p4zaAB/xFG2p8RYauVtOkCX9hDWtdflJrfbTIOcT0Zzr3g84Zb4YvfkV+Rxxn
+UsqVBV3iNlGFwNRngDVvFd0+/R3S/Y80UNjsdiq+49Pa5P3I6ygClhGXF2Ec6cRZ
+O0LcMtEJHdqm0UOG/16yvIzPZtsBiwKulEjzOI/96jKoCOyGl1GUJD5JSZZT6Hmh
+QIHpBbuTlVH84/18EUv3ngizFUkVB/nRN6CbSzL2tcTcatH8Cu324MUpoKiLcf4N
+krz+VHAYCm3H7Qz7yS0Gw4yF/MuGXNY2jhKLCX/7GRo41fCUMHoPpozzAgMBAAGj
+ggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4E
+FgQU2HqURHyQcJAWnt0XnAFEA4bWKikwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV
+HQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2cuc3ltY2IuY29t
+L2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYS
+aHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEG
+CCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3Bz
+MA0GCSqGSIb3DQEBCwUAA4IBAQAWR3NvhaJi4ecqdruJlUIml7xKrKxwUzo/MYM9
+PByrmuKxXRx2GqA8DHJXvtOeUODImdZY1wLqzg0pVHzN9cLGkClVo28UqAtCDTqY
+bQZ4nvBqox0CCqIopI3CgUY+bWfa3j/+hQ5CKhLetbf7uBunlux3n+zUU5V6/wf0
+8goUwFFSsdaOUAsamVy8C8m97e34XsFW201+I6QRoSzUGwWa5BtS9nw4mQVLunKN
+QolgBGYq9P1o12v3mUEo1mwkq+YlUy7Igpnioo8jvjCDsSeL+mh/AUnoxphrEC6Y
+XorXykuxx8lYmtA225aV7LaB5PLNbxt5h0wQPInkTfpU3Kqm
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
+MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
+YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
+EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
+R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
+9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
+fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
+iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
+1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
+MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
+ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
+uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
+Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
+tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
+PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
+hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
+5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
+-----END CERTIFICATE-----
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/appleistca8g1-chain.pem Tue Jan 22 09:27:19 2019 -0500
@@ -0,0 +1,64 @@
+-----BEGIN CERTIFICATE-----
+MIIElDCCBDqgAwIBAgIIWax3IY1ByGIwCgYIKoZIzj0EAwIwYjEcMBoGA1UEAwwT
+QXBwbGUgSVNUIENBIDggLSBHMTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBBdXRo
+b3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE5MDEw
+ODIxMTAyNFoXDTIwMDgwODIxMjAwMFowga0xTTBLBgNVBAMMRGFjdGl2ZS5nZW90
+cnVzdC1nbG9iYWwtY2EtZzIudGVzdC1wYWdlcy5jZXJ0aWZpY2F0ZW1hbmFnZXIu
+YXBwbGUuY29tMSUwIwYDVQQLDBxtYW5hZ2VtZW50OmlkbXMuZ3JvdXAuODY0ODU5
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMQswCQYD
+VQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN4oxNLGzmOIfgFRxDaU
+SaOYTQVZCc7a7MXlK1L4/KgN22stgSkrg47aOWviMuzb9Q9hDA/Tn19o9Zr8G5ON
+pYijggKMMIICiDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMPEpFgFY9eDBrqW
+jdyyjzL2u7dBMH4GCCsGAQUFBwEBBHIwcDA0BggrBgEFBQcwAoYoaHR0cDovL2Nl
+cnRzLmFwcGxlLmNvbS9hcHBsZWlzdGNhOGcxLmRlcjA4BggrBgEFBQcwAYYsaHR0
+cDovL29jc3AuYXBwbGUuY29tL29jc3AwMy1hcHBsZWlzdGNhOGcxMDEwTwYDVR0R
+BEgwRoJEYWN0aXZlLmdlb3RydXN0LWdsb2JhbC1jYS1nMi50ZXN0LXBhZ2VzLmNl
+cnRpZmljYXRlbWFuYWdlci5hcHBsZS5jb20wgf4GA1UdIASB9jCB8zCB8AYKKoZI
+hvdjZAULBDCB4TCBpAYIKwYBBQUHAgIwgZcMgZRSZWxpYW5jZSBvbiB0aGlzIGNl
+cnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgYW55
+IGFwcGxpY2FibGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlIGFuZC9vciBj
+ZXJ0aWZpY2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMDgGCCsGAQUFBwICMCwM
+Kmh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5LzAdBgNV
+HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwNwYDVR0fBDAwLjAsoCqgKIYmaHR0
+cDovL2NybC5hcHBsZS5jb20vYXBwbGVpc3RjYThnMS5jcmwwHQYDVR0OBBYEFCQy
+hU8U00tcIz6L0MCT6EGVho0EMA4GA1UdDwEB/wQEAwIDiDAKBggqhkjOPQQDAgNI
+ADBFAiAl5nGHi2u8V0aJSp4o1i3TlK7ao8WvxwBuHKfuKibSLAIhAN8PZqhESS9u
+V7Dr6qzs88yn/1z6oeqPwDsntFpUFtWG
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAtugAwIBAgIQE1Iuv8HdXOEe8nZAdR/n3zAKBggqhkjOPQQDAzCBmDEL
+MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChj
+KSAyMDA3IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2
+MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
+eSAtIEcyMB4XDTE2MDYwOTAwMDAwMFoXDTMxMDYwODIzNTk1OVowYjEcMBoGA1UE
+AwwTQXBwbGUgSVNUIENBIDggLSBHMTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBB
+dXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAELVSOaLAQE+/0LdvYCbJD6J1lmW40uNSXyY7J
+1qgiNzLIcWDusPHyxWT2ukdf/OYHeDIt9sqAIMn9cPhykyGIRaOCATowggE2MBIG
+A1UdEwEB/wQIMAYBAf8CAQAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2cuc3lt
+Y2IuY29tL0dlb1RydXN0UENBLUcyLmNybDAOBgNVHQ8BAf8EBAMCAQYwLgYIKwYB
+BQUHAQEEIjAgMB4GCCsGAQUFBzABhhJodHRwOi8vZy5zeW1jZC5jb20wSQYDVR0g
+BEIwQDA+BgZngQwBAgIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2VvdHJ1
+c3QuY29tL3Jlc291cmNlcy9jcHMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
+BwMCMB0GA1UdDgQWBBTDxKRYBWPXgwa6lo3cso8y9ru3QTAfBgNVHSMEGDAWgBQV
+XzVXUVX7JbKtA2n8AaP6vhFV1TAKBggqhkjOPQQDAwNnADBkAjBH2jMNybjCk3Ts
+OidXxJX9YDPMd5S3KDCv8vyTdJGhtoly7fQJRNv5rnVz+6YGfsMCMEp6wyheL7NK
+mqavsduix2R+j1B3wRjelzJYgXzgM3nwhQKKlJWxpF7IGHuva1taxg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICrjCCAjWgAwIBAgIQPLL0SAoA4v7rJDteYD7DazAKBggqhkjOPQQDAzCBmDEL
+MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChj
+KSAyMDA3IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2
+MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
+eSAtIEcyMB4XDTA3MTEwNTAwMDAwMFoXDTM4MDExODIzNTk1OVowgZgxCzAJBgNV
+BAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykgMjAw
+NyBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNV
+BAMTLUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH
+MjB2MBAGByqGSM49AgEGBSuBBAAiA2IABBWx6P0DFUPlrOuHNxFi79KDNlJ9RVcL
+So17VDs6bl8VAsBQps8lL33KSLjHUGMcKiEIfJo22Av+0SbFWDEwKCXzXV2juLal
+tJLtbCyf691DiaI8S0iRHVDsJt/WYC69IaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBVfNVdRVfslsq0DafwBo/q+EVXVMAoG
+CCqGSM49BAMDA2cAMGQCMGSWWaboCd6LuvpaiIjwH5HTRqjySkwCY/tsXzjbLkGT
+qQ7mndwxHLKgpxgceeHHNgIwOlavmnRs9vuD4DPTCF+hnMJbn0bWtsuRBmOiBucz
+rD6ogRLQy7rQkgu2npaqBA+K
+-----END CERTIFICATE-----