8350807: Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled #2085
Conversation
|
👋 Welcome back goetz! A progress list of the required criteria for merging this PR into |
|
@GoeLin This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 12 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
openjdk
bot
changed the title
|
This backport pull request has now been updated with issue from the original commit. |
openjdk
bot
added
backport
GoeLin
force-pushed
the
goetz_backport_8350807
branch
from
c2635d4 to
7c9d000
Compare
| CertificateBuilder builder = new CertificateBuilder() | ||
| .setSubjectName(subjectName) | ||
| .setPublicKey(publicKey) | ||
| .setNotAfter( |
There was a problem hiding this comment.
Should be setNotBefore. This makes the test work and avoids the NullPointerException which we have seen. This was fixed in head by openjdk/jdk@e544cd9#diff-d1ab84463ba0a7169ea2a4709b6860c8c943251adc4366f93cbc1d230247ef56R219.
|
Hi Martin, thanks, that helps!! |
|
OK, this now also passed our internal testing, including the new test. |
|
src/java.base/share/classes/sun/security/ssl/CertificateMessage.java |
|
Otherwise looks okay to me, thanks for backporting. |
|
Hi @MBaesken |
okay that's why I did not see it when looking at the 'diff of the diffs' . |
|
|
openjdk
bot
added
approval
|
/integrate |
|
Going to push as commit 1cdf8f5.
Your commit was automatically rebased without conflicts. |
I backport this for parity with 21.0.9-oracle.
Resolved one copyright. It is already at 2025.
But test MD5NotAllowedInTLS13CertificateSignature.java is failing.
It throws ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0
at MD5NotAllowedInTLS13CertificateSignature.lambda$main$1(MD5NotAllowedInTLS13CertificateSignature.java:100)
It expects an array of length 1 containing the exception javax.net.ssl.SSLHandshakeException: (bad_certificate) PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: MD5withRSA
All other testing, i.e. our nighlties and the tests touched here, pass.
Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk21u-dev.git pull/2085/head:pull/2085$ git checkout pull/2085Update a local copy of the PR:
$ git checkout pull/2085$ git pull https://git.openjdk.org/jdk21u-dev.git pull/2085/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 2085View PR using the GUI difftool:
$ git pr show -t 2085Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk21u-dev/pull/2085.diff
Using Webrev
Link to Webrev Comment