From 5d11bb03523f20a3f4bb39ac3f5221b86bddb133 Mon Sep 17 00:00:00 2001 From: Antonio Vieiro Date: Thu, 21 May 2026 12:07:35 +0200 Subject: [PATCH 1/2] Backport ccb57972f4b73bd8320e9944ca081d933f47aae8 --- make/data/cacerts/wisekeyglobalrootgbca | 29 +++++++++++++++ make/data/cacerts/wisekeyglobalrootgcca | 22 +++++++++++ .../certification/CAInterop.java | 37 ++++++++++++++++++- .../security/lib/cacerts/VerifyCACerts.java | 12 ++++-- 4 files changed, 95 insertions(+), 5 deletions(-) create mode 100644 make/data/cacerts/wisekeyglobalrootgbca create mode 100644 make/data/cacerts/wisekeyglobalrootgcca diff --git a/make/data/cacerts/wisekeyglobalrootgbca b/make/data/cacerts/wisekeyglobalrootgbca new file mode 100644 index 00000000000..5c2c35d04c1 --- /dev/null +++ b/make/data/cacerts/wisekeyglobalrootgbca @@ -0,0 +1,29 @@ +Owner: CN=OISTE WISeKey Global Root GB CA, OU=OISTE Foundation Endorsed, O=WISeKey, C=CH +Issuer: CN=OISTE WISeKey Global Root GB CA, OU=OISTE Foundation Endorsed, O=WISeKey, C=CH +Serial number: 76b1205274f0858746b3f8231af6c2c0 +Valid from: Mon Dec 01 15:00:32 GMT 2014 until: Thu Dec 01 15:10:31 GMT 2039 +Signature algorithm name: SHA256withRSA +Subject Public Key Algorithm: 2048-bit RSA key +Version: 3 +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIQdrEgUnTwhYdGs/gjGvbCwDANBgkqhkiG9w0BAQsFADBt +MQswCQYDVQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZT0lTVEUg +Rm91bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9i +YWwgUm9vdCBHQiBDQTAeFw0xNDEyMDExNTAwMzJaFw0zOTEyMDExNTEwMzFaMG0x +CzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYDVQQLExlPSVNURSBG +b3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEdsb2Jh +bCBSb290IEdCIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Be3 +HEokKtaXscriHvt9OO+Y9bI5mE4nuBFde9IllIiCFSZqGzG7qFshISvYD06fWvGx +WuR51jIjK+FTzJlFXHtPrby/h0oLS5daqPZI7H17Dc0hBt+eFf1Biki3IPShehtX +1F1Q/7pn2COZH8g/497/b1t3sWtuuMlk9+HKQUYOKXHQuSP8yYFfTvdv37+ErXNk +u7dCjmn21HYdfp2nuFeKUWdy19SouJVUQHMD9ur06/4oQnc/nSMbsrY9gBQHTC5P +99UKFg29ZkM3fiNDecNAhvVMKdqOmq0NpQSHiB6F4+lT1ZvIiwNjeOvgGUpuuy9r +M2RYk61pv48b74JIxwIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw +AwEB/zAdBgNVHQ4EFgQUNQ/INmNe4qPs+TtmFc5RUuORmj0wEAYJKwYBBAGCNxUB +BAMCAQAwDQYJKoZIhvcNAQELBQADggEBAEBM+4eymYGQfp3FsLAmzYh7KzKNbrgh +cViXfa43FK8+5/ea4n32cZiZBKpDdHij40lhPnOMTZTg+XHEthYOU3gf1qKHLwI5 +gSk8rxWYITD+KJAAjNHhy/peyP34EEY7onhCkRd0VQreUGdNZtGn//3ZwLWoo4rO +ZvUPQ82nK1d7Y0Zqqi5S2PTt4W2tKZB4SLrhI6qjiey1q5bAtEuiHZeeevJuQHHf +aPFlTc58Bd9TZaml8LGXBHAVRgOY1NK/VLSgWH1Sb9pWJmLU2NuJMW8c8CLC02Ic +Nc1MaRVUGpCY3useX8p3x8uOPUNpnJpY0CQ73xtAln41rYHHTnG6iBM= +-----END CERTIFICATE----- diff --git a/make/data/cacerts/wisekeyglobalrootgcca b/make/data/cacerts/wisekeyglobalrootgcca new file mode 100644 index 00000000000..e42432b95a6 --- /dev/null +++ b/make/data/cacerts/wisekeyglobalrootgcca @@ -0,0 +1,22 @@ +Owner: CN=OISTE WISeKey Global Root GC CA, OU=OISTE Foundation Endorsed, O=WISeKey, C=CH +Issuer: CN=OISTE WISeKey Global Root GC CA, OU=OISTE Foundation Endorsed, O=WISeKey, C=CH +Serial number: 212a560caeda0cab4045bf2ba22d3aea +Valid from: Tue May 09 09:48:34 GMT 2017 until: Fri May 09 09:58:33 GMT 2042 +Signature algorithm name: SHA384withECDSA +Subject Public Key Algorithm: 384-bit EC (secp384r1) key +Version: 3 +-----BEGIN CERTIFICATE----- +MIICaTCCAe+gAwIBAgIQISpWDK7aDKtARb8roi066jAKBggqhkjOPQQDAzBtMQsw +CQYDVQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZT0lTVEUgRm91 +bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9iYWwg +Um9vdCBHQyBDQTAeFw0xNzA1MDkwOTQ4MzRaFw00MjA1MDkwOTU4MzNaMG0xCzAJ +BgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYDVQQLExlPSVNURSBGb3Vu +ZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEdsb2JhbCBS +b290IEdDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAETOlQwMYPchi82PG6s4ni +eUqjFqdrVCTbUf/q9Akkwwsin8tqJ4KBDdLArzHkdIJuyiXZjHWd8dvQmqJLIX4W +p2OQ0jnUsYd4XxiWD1AbNTcPasbc2RNNpI6QN+a9WzGRo1QwUjAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUSIcUrOPDnpBgOtfKie7T +rYy0UGYwEAYJKwYBBAGCNxUBBAMCAQAwCgYIKoZIzj0EAwMDaAAwZQIwJsdpW9zV +57LnyAyMjMPdeYwbY9XJUpROTYJKcx6ygISpJcBMWm1JKWB4E+J+SOtkAjEA2zQg +Mgj/mkkCtojeFK9dbJlxjRo/i9fgojaGHAeCOnZT/cKi7e97sIBPWA9LUzm9 +-----END CERTIFICATE----- diff --git a/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java b/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java index fa596cdde1d..0fc087dacf3 100644 --- a/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java +++ b/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023, 2025, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2023, 2026, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -497,6 +497,34 @@ * sectigotlsroote46 CRL */ +/* + * @test id=wisekeyglobalrootgbca + * @bug 8372351 + * @summary Interoperability tests with OISTE WISeKey Global Root GB CA + * @library /test/lib + * @build jtreg.SkippedException ValidatePathWithURL CAInterop + * @run main/othervm/manual -Djava.security.debug=certpath,ocsp CAInterop + * wisekeyglobalrootgbca OCSP + * @run main/othervm/manual -Djava.security.debug=certpath,ocsp + * -Dcom.sun.security.ocsp.useget=false CAInterop wisekeyglobalrootgbca OCSP + * @run main/othervm/manual -Djava.security.debug=certpath CAInterop + * wisekeyglobalrootgbca CRL + */ + +/* + * @test id=wisekeyglobalrootgcca + * @bug 8372351 + * @summary Interoperability tests with OISTE WISeKey Global Root GC CA + * @library /test/lib + * @build jtreg.SkippedException ValidatePathWithURL CAInterop + * @run main/othervm/manual -Djava.security.debug=certpath,ocsp CAInterop + * wisekeyglobalrootgcca OCSP + * @run main/othervm/manual -Djava.security.debug=certpath,ocsp + * -Dcom.sun.security.ocsp.useget=false CAInterop wisekeyglobalrootgcca OCSP + * @run main/othervm/manual -Djava.security.debug=certpath CAInterop + * wisekeyglobalrootgcca CRL + */ + /** * Collection of certificate validation tests for interoperability with external CAs. * These tests are marked as manual as they depend on external infrastructure and may fail @@ -675,6 +703,13 @@ private CATestURLs getTestURLs(String alias) { return new CATestURLs("https://sectigopublicserverauthenticationroote46-ev.sectigo.com", "https://sectigopublicserverauthenticationroote46-ev.sectigo.com:444"); + case "wisekeyglobalrootgbca": + return new CATestURLs("https://gbvalidssl.hightrusted.com", + "https://gbrevokedssl.hightrusted.com"); + case "wisekeyglobalrootgcca": + return new CATestURLs("https://gcvalidssl.hightrusted.com", + "https://gcrevokedssl.hightrusted.com"); + default: throw new RuntimeException("No test setup found for: " + alias); } } diff --git a/test/jdk/sun/security/lib/cacerts/VerifyCACerts.java b/test/jdk/sun/security/lib/cacerts/VerifyCACerts.java index e325d400ccf..9afd4e8b74b 100644 --- a/test/jdk/sun/security/lib/cacerts/VerifyCACerts.java +++ b/test/jdk/sun/security/lib/cacerts/VerifyCACerts.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017, 2025, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2017, 2026, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,7 @@ * 8223499 8225392 8232019 8234245 8233223 8225068 8225069 8243321 8243320 * 8243559 8225072 8258630 8259312 8256421 8225081 8225082 8225083 8245654 * 8305975 8304760 8307134 8295894 8314960 8317373 8317374 8318759 8319187 - * 8321408 8316138 8341057 8303770 8350498 8359170 8361212 + * 8321408 8316138 8341057 8303770 8350498 8359170 8361212 8372351 * @summary Check root CA entries in cacerts file */ import java.io.ByteArrayInputStream; @@ -47,12 +47,12 @@ public class VerifyCACerts { + File.separator + "security" + File.separator + "cacerts"; // The numbers of certs now. - private static final int COUNT = 109; + private static final int COUNT = 111; // SHA-256 of cacerts, can be generated with // shasum -a 256 cacerts | sed -e 's/../&:/g' | tr '[:lower:]' '[:upper:]' | cut -c1-95 private static final String CHECKSUM - = "F2:0C:60:47:49:FA:13:2A:03:A4:52:20:AD:46:7C:D0:3F:3D:A7:59:D6:27:E9:9B:CC:D4:5A:04:8D:2A:DE:9F"; + = "F3:8B:96:50:B5:FB:8C:20:47:E4:6E:B3:88:6C:2F:DF:F0:07:AA:F9:A7:E2:C1:D5:97:B3:92:1A:28:68:6A:F7"; // map of cert alias to SHA-256 fingerprint @SuppressWarnings("serial") @@ -276,6 +276,10 @@ public class VerifyCACerts { "7E:76:26:0A:E6:9A:55:D3:F0:60:B0:FD:18:B2:A8:C0:14:43:C8:7B:60:79:10:30:C9:FA:0B:05:85:10:1A:38"); put("sectigocodesignroote46 [jdk]", "8F:63:71:D8:CC:5A:A7:CA:14:96:67:A9:8B:54:96:39:89:51:E4:31:9F:7A:FB:CC:6A:66:0D:67:3E:43:8D:0B"); + put("wisekeyglobalrootgbca [jdk]", + "6B:9C:08:E8:6E:B0:F7:67:CF:AD:65:CD:98:B6:21:49:E5:49:4A:67:F5:84:5E:7B:D1:ED:01:9F:27:B8:6B:D6"); + put("wisekeyglobalrootgcca [jdk]", + "85:60:F9:1C:36:24:DA:BA:95:70:B5:FE:A0:DB:E3:6F:F1:1A:83:23:BE:94:86:85:4F:B3:F3:4A:55:71:19:8D"); } }; From ff8cad867a1c39da40f5802a05d1017fb0b02a49 Mon Sep 17 00:00:00 2001 From: Antonio Vieiro Date: Thu, 28 May 2026 11:10:03 +0200 Subject: [PATCH 2/2] Dropping "-Dcom.sun.security.ocsp.useget=false" from CAInterop.java --- .../CertPathValidator/certification/CAInterop.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java b/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java index 0fc087dacf3..76db5f1805f 100644 --- a/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java +++ b/test/jdk/security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java @@ -452,7 +452,7 @@ * @library /test/lib * @build jtreg.SkippedException ValidatePathWithURL CAInterop * @run main/othervm/manual -Djava.security.debug=certpath,ocsp CAInterop ssltlsrootecc2022 DEFAULT - * @run main/othervm/manual -Djava.security.debug=certpath,ocsp -Dcom.sun.security.ocsp.useget=false CAInterop ssltlsrootecc2022 DEFAULT + * @run main/othervm/manual -Djava.security.debug=certpath,ocsp CAInterop ssltlsrootecc2022 DEFAULT * @run main/othervm/manual -Djava.security.debug=certpath CAInterop ssltlsrootecc2022 CRL */ @@ -463,7 +463,7 @@ * @library /test/lib * @build jtreg.SkippedException ValidatePathWithURL CAInterop * @run main/othervm/manual -Djava.security.debug=certpath,ocsp CAInterop ssltlsrootrsa2022 DEFAULT - * @run main/othervm/manual -Djava.security.debug=certpath,ocsp -Dcom.sun.security.ocsp.useget=false CAInterop ssltlsrootrsa2022 DEFAULT + * @run main/othervm/manual -Djava.security.debug=certpath,ocsp CAInterop ssltlsrootrsa2022 DEFAULT * @run main/othervm/manual -Djava.security.debug=certpath CAInterop ssltlsrootrsa2022 CRL */ @@ -477,7 +477,7 @@ * @run main/othervm/manual -Djava.security.debug=certpath,ocsp CAInterop * sectigotlsrootr46 OCSP * @run main/othervm/manual -Djava.security.debug=certpath,ocsp - * -Dcom.sun.security.ocsp.useget=false CAInterop sectigotlsrootr46 OCSP + * CAInterop sectigotlsrootr46 OCSP * @run main/othervm/manual -Djava.security.debug=certpath CAInterop * sectigotlsrootr46 CRL */ @@ -492,7 +492,7 @@ * @run main/othervm/manual -Djava.security.debug=certpath,ocsp CAInterop * sectigotlsroote46 OCSP * @run main/othervm/manual -Djava.security.debug=certpath,ocsp - * -Dcom.sun.security.ocsp.useget=false CAInterop sectigotlsroote46 OCSP + * CAInterop sectigotlsroote46 OCSP * @run main/othervm/manual -Djava.security.debug=certpath CAInterop * sectigotlsroote46 CRL */ @@ -506,7 +506,7 @@ * @run main/othervm/manual -Djava.security.debug=certpath,ocsp CAInterop * wisekeyglobalrootgbca OCSP * @run main/othervm/manual -Djava.security.debug=certpath,ocsp - * -Dcom.sun.security.ocsp.useget=false CAInterop wisekeyglobalrootgbca OCSP + * CAInterop wisekeyglobalrootgbca OCSP * @run main/othervm/manual -Djava.security.debug=certpath CAInterop * wisekeyglobalrootgbca CRL */ @@ -520,7 +520,7 @@ * @run main/othervm/manual -Djava.security.debug=certpath,ocsp CAInterop * wisekeyglobalrootgcca OCSP * @run main/othervm/manual -Djava.security.debug=certpath,ocsp - * -Dcom.sun.security.ocsp.useget=false CAInterop wisekeyglobalrootgcca OCSP + * CAInterop wisekeyglobalrootgcca OCSP * @run main/othervm/manual -Djava.security.debug=certpath CAInterop * wisekeyglobalrootgcca CRL */