You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This change backports enhancements to the CertificateBuilder test library to allow automated generation of certificates. It also replaces the static certificate in IPIdentities.java and is a pre-requisite for backporting JDK-8384815
The change actually backports fairly cleanly. There are just a few context differences because of the absence of JDK-8350807, which makes IPIdentities.java explicitly use TLSv1.2, and JDK-8349501 which moves CertificateBuilder into the regular jdk.test.lib namespace.
A number of follow-ups, included as follow-on commits, are then needed to make IPIdentities.java pass, and then to make other CertificateBuilder-using classes pass again.
IPIdentities.java needs to have @library and @build lines added to use CertificateBuilder. This is based on its usage in existing test classes in 11u that already use it.
11u does not have SecureRandom.nextLong(long) so I ported this from java.util.random.RandomGenerator and jdk.internal.util.random.RandomSupport in 17u to jdk.test.lib.Utils. It is currently used by IPIdentities.java and CertificateBuilder.java and placing it in the library leaves the option open for other tests to use it.
JDK-8179502 is an enhancement change we don't want to backport, but it does update CertificateBuilder to actually consistently work to the Builder pattern, returning itself from its methods. This is necessary both for the usage introduced in this patch in IPIdentities.java and for the changes in 8384815, so builder invocations can be changed. I only included the return type changes from 8179502 and not the change to one of the methods.
Because CertificateBuilder now needs Utils from jdk.test.lib.Utils, a few tests that already used CertificateBuilder need to reference /test/lib.
I did start looking at backporting 8349501 but it is quite involved and has its own pre-requisites to explore. I wanted to make sure this and the follow-on could make the upcoming release and fix the currently broken test, so I worked around its absence for now. I do intend to backport it for the October release and this should clean up the dual library usage this change introduces by putting everything in jdk.test.lib.
Results for the tests which use CertificateBuilder look good with all passing after this patch.
$ make -C $HOME/builder/11u-dev run-test TEST="jtreg:sun/net/www/protocol/https jtreg:javax/net/ssl/Stapling jtreg:java/security/cert/CertPathValidator"
==============================
Test summary
==============================
TEST TOTAL PASS FAIL ERROR
jtreg:test/jdk/sun/net/www/protocol/https 27 27 0 0
jtreg:test/jdk/javax/net/ssl/Stapling 4 4 0 0
jtreg:test/jdk/java/security/cert/CertPathValidator
14 14 0 0
==============================
TEST SUCCESS
👋 Welcome back andrew! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.
❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.
openjdkBot
changed the title
Backport 9dbee307410971bbc46c52d18e9ef0134c736c5f
8325766: Extend CertificateBuilder to create trust and end entity certificates programmatically
Jun 4, 2026
⚠️@gnu-andrew This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.
Ah, good catch. Not sure how I missed this. Maybe I assumed it was another instance of the other Stapling directory.
==============================
Test summary
==============================
TEST TOTAL PASS FAIL ERROR
jtreg:test/jdk/sun/security/ssl/Stapling 1 1 0 0
==============================
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
backportPort of a pull request already in a different code baserfrPull request is ready for review
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
openjdk
Bot
changed the title
This change backports enhancements to the
CertificateBuildertest library to allow automated generation of certificates. It also replaces the static certificate inIPIdentities.javaand is a pre-requisite for backporting JDK-8384815The change actually backports fairly cleanly. There are just a few context differences because of the absence of JDK-8350807, which makes
IPIdentities.javaexplicitly use TLSv1.2, and JDK-8349501 which movesCertificateBuilderinto the regularjdk.test.libnamespace.A number of follow-ups, included as follow-on commits, are then needed to make
IPIdentities.javapass, and then to make otherCertificateBuilder-using classes pass again.IPIdentities.javaneeds to have@libraryand@buildlines added to useCertificateBuilder. This is based on its usage in existing test classes in 11u that already use it.SecureRandom.nextLong(long)so I ported this fromjava.util.random.RandomGeneratorandjdk.internal.util.random.RandomSupportin 17u tojdk.test.lib.Utils. It is currently used byIPIdentities.javaandCertificateBuilder.javaand placing it in the library leaves the option open for other tests to use it.CertificateBuilderto actually consistently work to the Builder pattern, returning itself from its methods. This is necessary both for the usage introduced in this patch inIPIdentities.javaand for the changes in 8384815, so builder invocations can be changed. I only included the return type changes from 8179502 and not the change to one of the methods.CertificateBuildernow needsUtilsfromjdk.test.lib.Utils, a few tests that already usedCertificateBuilderneed to reference/test/lib.I did start looking at backporting 8349501 but it is quite involved and has its own pre-requisites to explore. I wanted to make sure this and the follow-on could make the upcoming release and fix the currently broken test, so I worked around its absence for now. I do intend to backport it for the October release and this should clean up the dual library usage this change introduces by putting everything in
jdk.test.lib.Results for the tests which use
CertificateBuilderlook good with all passing after this patch.Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/3222/head:pull/3222$ git checkout pull/3222Update a local copy of the PR:
$ git checkout pull/3222$ git pull https://git.openjdk.org/jdk11u-dev.git pull/3222/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 3222View PR using the GUI difftool:
$ git pr show -t 3222Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/3222.diff
Using Webrev
Link to Webrev Comment