Skip to content

Commit

Permalink
8341059: Change Entrust TLS distrust date to November 12, 2024
Browse files Browse the repository at this point in the history
Reviewed-by: sgehwolf
Backport-of: f554c3ffce7599fdb535b03db4a6ea96870b3c2d
  • Loading branch information
gnu-andrew committed Oct 3, 2024
1 parent 6acc668 commit 02b8101
Show file tree
Hide file tree
Showing 8 changed files with 16 additions and 16 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ void checkDistrust(String variant, X509Certificate[] chain)

/**
* Distrust TLS Server certificates anchored by an Entrust root CA and
* issued after October 31, 2024. If enabled, this policy is currently
* issued after November 11, 2024. If enabled, this policy is currently
* enforced by the PKIX and SunX509 TrustManager implementations
* of the SunJSSE provider implementation.
*/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,8 @@ final class EntrustTLSPolicy {

// Any TLS Server certificate that is anchored by one of the Entrust
// roots above and is issued after this date will be distrusted.
private static final LocalDate OCTOBER_31_2024 =
LocalDate.of(2024, Month.OCTOBER, 31);
private static final LocalDate NOVEMBER_11_2024 =
LocalDate.of(2024, Month.NOVEMBER, 11);

/**
* This method assumes the eeCert is a TLS Server Cert and chains back to
Expand All @@ -115,8 +115,8 @@ static void checkDistrust(X509Certificate[] chain)
Date notBefore = chain[0].getNotBefore();
LocalDate ldNotBefore = notBefore.toInstant()
.atZone(ZoneOffset.UTC).toLocalDate();
// reject if certificate is issued after October 31, 2024
checkNotBefore(ldNotBefore, OCTOBER_31_2024, anchor);
// reject if certificate is issued after November 11, 2024
checkNotBefore(ldNotBefore, NOVEMBER_11_2024, anchor);
}
}

Expand Down
2 changes: 1 addition & 1 deletion jdk/src/share/lib/security/java.security-aix
Original file line number Diff line number Diff line change
Expand Up @@ -1213,7 +1213,7 @@ jdk.sasl.disabledMechanisms=
# Distrust after December 31, 2019.
#
# ENTRUST_TLS : Distrust TLS Server certificates anchored by
# an Entrust root CA and issued after October 31, 2024.
# an Entrust root CA and issued after November 11, 2024.
#
# Leading and trailing whitespace surrounding each value are ignored.
# Unknown values are ignored. If the property is commented out or set to the
Expand Down
2 changes: 1 addition & 1 deletion jdk/src/share/lib/security/java.security-linux
Original file line number Diff line number Diff line change
Expand Up @@ -1219,7 +1219,7 @@ jdk.sasl.disabledMechanisms=
# Distrust after December 31, 2019.
#
# ENTRUST_TLS : Distrust TLS Server certificates anchored by
# an Entrust root CA and issued after October 31, 2024.
# an Entrust root CA and issued after November 11, 2024.
#
# Leading and trailing whitespace surrounding each value are ignored.
# Unknown values are ignored. If the property is commented out or set to the
Expand Down
2 changes: 1 addition & 1 deletion jdk/src/share/lib/security/java.security-macosx
Original file line number Diff line number Diff line change
Expand Up @@ -1217,7 +1217,7 @@ jdk.sasl.disabledMechanisms=
# Distrust after December 31, 2019.
#
# ENTRUST_TLS : Distrust TLS Server certificates anchored by
# an Entrust root CA and issued after October 31, 2024.
# an Entrust root CA and issued after November 11, 2024.
#
# Leading and trailing whitespace surrounding each value are ignored.
# Unknown values are ignored. If the property is commented out or set to the
Expand Down
2 changes: 1 addition & 1 deletion jdk/src/share/lib/security/java.security-solaris
Original file line number Diff line number Diff line change
Expand Up @@ -1215,7 +1215,7 @@ jdk.sasl.disabledMechanisms=
# Distrust after December 31, 2019.
#
# ENTRUST_TLS : Distrust TLS Server certificates anchored by
# an Entrust root CA and issued after October 31, 2024.
# an Entrust root CA and issued after November 11, 2024.
#
# Leading and trailing whitespace surrounding each value are ignored.
# Unknown values are ignored. If the property is commented out or set to the
Expand Down
2 changes: 1 addition & 1 deletion jdk/src/share/lib/security/java.security-windows
Original file line number Diff line number Diff line change
Expand Up @@ -1217,7 +1217,7 @@ jdk.sasl.disabledMechanisms=
# Distrust after December 31, 2019.
#
# ENTRUST_TLS : Distrust TLS Server certificates anchored by
# an Entrust root CA and issued after October 31, 2024.
# an Entrust root CA and issued after November 11, 2024.
#
# Leading and trailing whitespace surrounding each value are ignored.
# Unknown values are ignored. If the property is commented out or set to the
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@

/**
* @test
* @bug 8337664
* @bug 8337664 8341059
* @summary Check that TLS Server certificates chaining back to distrusted
* Entrust roots are invalid
* @library /lib/security
Expand All @@ -56,14 +56,14 @@ public class Distrust {
"affirmtrustpremiumca", "affirmtrustpremiumeccca" };

// A date that is after the restrictions take effect
private static final Date NOVEMBER_1_2024 =
Date.from(LocalDate.of(2024, 11, 1)
private static final Date NOVEMBER_12_2024 =
Date.from(LocalDate.of(2024, 11, 12)
.atStartOfDay(ZoneOffset.UTC)
.toInstant());

// A date that is a second before the restrictions take effect
private static final Date BEFORE_NOVEMBER_1_2024 =
Date.from(LocalDate.of(2024, 11, 1)
private static final Date BEFORE_NOVEMBER_12_2024 =
Date.from(LocalDate.of(2024, 11, 12)
.atStartOfDay(ZoneOffset.UTC)
.minusSeconds(1)
.toInstant());
Expand All @@ -81,7 +81,7 @@ public static void main(String[] args) throws Exception {
Security.setProperty("jdk.security.caDistrustPolicies", "");
}

Date notBefore = before ? BEFORE_NOVEMBER_1_2024 : NOVEMBER_1_2024;
Date notBefore = before ? BEFORE_NOVEMBER_12_2024 : NOVEMBER_12_2024;

X509TrustManager pkixTM = getTMF("PKIX", null);
X509TrustManager sunX509TM = getTMF("SunX509", null);
Expand Down

0 comments on commit 02b8101

Please sign in to comment.