From 82c330b46498e78c67c1905535106c97536e4914 Mon Sep 17 00:00:00 2001 From: Goetz Lindenmaier Date: Tue, 1 Oct 2024 13:37:14 +0000 Subject: [PATCH] 8341059: Change Entrust TLS distrust date to November 12, 2024 Backport-of: eced83e13090748218ab3dac78f6ff1bddf2b158 --- .../sun/security/validator/CADistrustPolicy.java | 2 +- .../sun/security/validator/EntrustTLSPolicy.java | 8 ++++---- src/java.base/share/conf/security/java.security | 2 +- .../ssl/X509TrustManagerImpl/Entrust/Distrust.java | 12 ++++++------ 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java b/src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java index e943bcce7ba..39aecc27ecd 100644 --- a/src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java +++ b/src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java @@ -57,7 +57,7 @@ void checkDistrust(String variant, X509Certificate[] chain) /** * Distrust TLS Server certificates anchored by an Entrust root CA and - * issued after October 31, 2024. If enabled, this policy is currently + * issued after November 11, 2024. If enabled, this policy is currently * enforced by the PKIX and SunX509 TrustManager implementations * of the SunJSSE provider implementation. */ diff --git a/src/java.base/share/classes/sun/security/validator/EntrustTLSPolicy.java b/src/java.base/share/classes/sun/security/validator/EntrustTLSPolicy.java index 730e5684fe6..a19c2e5039d 100644 --- a/src/java.base/share/classes/sun/security/validator/EntrustTLSPolicy.java +++ b/src/java.base/share/classes/sun/security/validator/EntrustTLSPolicy.java @@ -88,8 +88,8 @@ final class EntrustTLSPolicy { // Any TLS Server certificate that is anchored by one of the Entrust // roots above and is issued after this date will be distrusted. - private static final LocalDate OCTOBER_31_2024 = - LocalDate.of(2024, Month.OCTOBER, 31); + private static final LocalDate NOVEMBER_11_2024 = + LocalDate.of(2024, Month.NOVEMBER, 11); /** * This method assumes the eeCert is a TLS Server Cert and chains back to @@ -111,8 +111,8 @@ static void checkDistrust(X509Certificate[] chain) Date notBefore = chain[0].getNotBefore(); LocalDate ldNotBefore = LocalDate.ofInstant(notBefore.toInstant(), ZoneOffset.UTC); - // reject if certificate is issued after October 31, 2024 - checkNotBefore(ldNotBefore, OCTOBER_31_2024, anchor); + // reject if certificate is issued after November 11, 2024 + checkNotBefore(ldNotBefore, NOVEMBER_11_2024, anchor); } } diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index e3a42677744..6f3f5448b93 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -1288,7 +1288,7 @@ jdk.sasl.disabledMechanisms= # Distrust after December 31, 2019. # # ENTRUST_TLS : Distrust TLS Server certificates anchored by -# an Entrust root CA and issued after October 31, 2024. +# an Entrust root CA and issued after November 11, 2024. # # Leading and trailing whitespace surrounding each value are ignored. # Unknown values are ignored. If the property is commented out or set to the diff --git a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/Distrust.java b/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/Distrust.java index a9a47bf834c..1c1fcee3609 100644 --- a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/Distrust.java +++ b/test/jdk/sun/security/ssl/X509TrustManagerImpl/Entrust/Distrust.java @@ -35,7 +35,7 @@ /** * @test - * @bug 8337664 + * @bug 8337664 8341059 * @summary Check that TLS Server certificates chaining back to distrusted * Entrust roots are invalid * @library /test/lib @@ -59,14 +59,14 @@ public class Distrust { "affirmtrustpremiumca", "affirmtrustpremiumeccca" }; // A date that is after the restrictions take effect - private static final Date NOVEMBER_1_2024 = - Date.from(LocalDate.of(2024, 11, 1) + private static final Date NOVEMBER_12_2024 = + Date.from(LocalDate.of(2024, 11, 12) .atStartOfDay(ZoneOffset.UTC) .toInstant()); // A date that is a second before the restrictions take effect - private static final Date BEFORE_NOVEMBER_1_2024 = - Date.from(LocalDate.of(2024, 11, 1) + private static final Date BEFORE_NOVEMBER_12_2024 = + Date.from(LocalDate.of(2024, 11, 12) .atStartOfDay(ZoneOffset.UTC) .minusSeconds(1) .toInstant()); @@ -84,7 +84,7 @@ public static void main(String[] args) throws Exception { Security.setProperty("jdk.security.caDistrustPolicies", ""); } - Date notBefore = before ? BEFORE_NOVEMBER_1_2024 : NOVEMBER_1_2024; + Date notBefore = before ? BEFORE_NOVEMBER_12_2024 : NOVEMBER_12_2024; X509TrustManager pkixTM = getTMF("PKIX", null); X509TrustManager sunX509TM = getTMF("SunX509", null);