8216280: Allow later Symantec Policy distrust date for two Apple SubCAs

Reviewed-by: coffeys
2019-01-22 09:27:19 -05:00 · 2019-01-22 09:27:19 -05:00 · c9bea6a8ea
commit c9bea6a8ea
parent c0de8f27a5
8 changed files with 295 additions and 61 deletions
--- a/src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java
+++ b/src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -39,17 +39,19 @@ import sun.security.util.Debug;
 enum CADistrustPolicy {
    /**
     * Distrust TLS Server certificates anchored by a Symantec root CA and
-     * issued after April 16, 2019. If enabled, this policy is currently
-     * enforced by the PKIX and SunX509 TrustManager implementations of the
-     * SunJSSE provider implementation.
+     * issued after April 16, 2019 (with exceptions for a couple of subordinate
+     * CAs, see the jdk.security.caDistrustPolicies definition in the
+     * java.security file for more details). If enabled, this policy is
+     * currently enforced by the PKIX and SunX509 TrustManager implementations
+     * of the SunJSSE provider implementation.
     */
    SYMANTEC_TLS {
-        void checkDistrust(String variant, X509Certificate anchor,
-                           X509Certificate ee) throws ValidatorException {
+        void checkDistrust(String variant, X509Certificate[] chain)
+                           throws ValidatorException {
            if (!variant.equals(Validator.VAR_TLS_SERVER)) {
                return;
            }
-            SymantecTLSPolicy.checkDistrust(anchor, ee);
+            SymantecTLSPolicy.checkDistrust(chain);
        }
    };

@ -57,13 +59,13 @@ enum CADistrustPolicy {
     * Checks if the end-entity certificate is distrusted.
     *
     * @param variant the type of certificate being checked
-     * @param anchor the trust anchor certificate
-     * @param ee the end-entity certificate to check
+     * @param chain the end-entity's certificate chain. The end entity cert
+     *              is at index 0, the trust anchor at index n-1.
     * @throws ValidatorException if the end-entity certificate is distrusted
     */
    abstract void checkDistrust(String variant,
-                                X509Certificate anchor,
-                                X509Certificate ee) throws ValidatorException;
+                                X509Certificate[] chain)
+                                throws ValidatorException;

    // The policies set in the jdk.security.caDistrustPolicies property.
    static final EnumSet<CADistrustPolicy> POLICIES = parseProperty();
--- a/src/java.base/share/classes/sun/security/validator/EndEntityChecker.java
+++ b/src/java.base/share/classes/sun/security/validator/EndEntityChecker.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -132,27 +132,26 @@ class EndEntityChecker {
        return new EndEntityChecker(type, variant);
    }

-    void check(X509Certificate cert, Object parameter,
-            boolean checkUnresolvedCritExts, X509Certificate anchor)
-            throws CertificateException {
+    void check(X509Certificate[] chain, Object parameter,
+            boolean checkUnresolvedCritExts) throws CertificateException {

        if (variant.equals(Validator.VAR_GENERIC)) {
            return; // no checks
        }

-        Set<String> exts = getCriticalExtensions(cert);
+        Set<String> exts = getCriticalExtensions(chain[0]);
        if (variant.equals(Validator.VAR_TLS_SERVER)) {
-            checkTLSServer(cert, (String)parameter, exts);
+            checkTLSServer(chain[0], (String)parameter, exts);
        } else if (variant.equals(Validator.VAR_TLS_CLIENT)) {
-            checkTLSClient(cert, exts);
+            checkTLSClient(chain[0], exts);
        } else if (variant.equals(Validator.VAR_CODE_SIGNING)) {
-            checkCodeSigning(cert, exts);
+            checkCodeSigning(chain[0], exts);
        } else if (variant.equals(Validator.VAR_JCE_SIGNING)) {
-            checkCodeSigning(cert, exts);
+            checkCodeSigning(chain[0], exts);
        } else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) {
-            checkCodeSigning(cert, exts);
+            checkCodeSigning(chain[0], exts);
        } else if (variant.equals(Validator.VAR_TSA_SERVER)) {
-            checkTSAServer(cert, exts);
+            checkTSAServer(chain[0], exts);
        } else {
            throw new CertificateException("Unknown variant: " + variant);
        }
@ -165,7 +164,7 @@ class EndEntityChecker {
        // check if certificate should be distrusted according to policies
        // set in the jdk.security.caDistrustPolicies security property
        for (CADistrustPolicy policy : CADistrustPolicy.POLICIES) {
-            policy.checkDistrust(variant, anchor, cert);
+            policy.checkDistrust(variant, chain);
        }
    }

--- a/src/java.base/share/classes/sun/security/validator/SymantecTLSPolicy.java
+++ b/src/java.base/share/classes/sun/security/validator/SymantecTLSPolicy.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -29,6 +29,7 @@ import java.time.LocalDate;
 import java.time.Month;
 import java.time.ZoneOffset;
 import java.util.Date;
+import java.util.Map;
 import java.util.Set;

 import sun.security.x509.X509CertImpl;
@ -119,6 +120,24 @@ final class SymantecTLSPolicy {
        "2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C"
    );

+    private static final LocalDate DECEMBER_31_2019 =
+        LocalDate.of(2019, Month.DECEMBER, 31);
+    // SHA-256 certificate fingerprints of subCAs with later distrust dates
+    private static final Map<String, LocalDate> EXEMPT_SUBCAS = Map.of(
+        // Subject DN: C=US, O=Apple Inc., OU=Certification Authority,
+        //             CN=Apple IST CA 2 - G1
+        // Issuer DN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
+        "AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B",
+        DECEMBER_31_2019,
+        // Subject DN: C=US, O=Apple Inc., OU=Certification Authority,
+        //             CN=Apple IST CA 8 - G1
+        // Issuer DN: CN=GeoTrust Primary Certification Authority - G2,
+        //            OU=(c) 2007 GeoTrust Inc. - For authorized use only,
+        //            O=GeoTrust Inc., C=US
+        "A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED",
+        DECEMBER_31_2019
+    );
+
    // Any TLS Server certificate that is anchored by one of the Symantec
    // roots above and is issued after this date will be distrusted.
    private static final LocalDate APRIL_16_2019 =
@ -128,28 +147,47 @@ final class SymantecTLSPolicy {
     * This method assumes the eeCert is a TLS Server Cert and chains back to
     * the anchor.
     *
-     * @param anchor the trust anchor certificate
-     * @param eeCert the certificate to check
+     * @param chain the end-entity's certificate chain. The end entity cert
+     *              is at index 0, the trust anchor at index n-1.
     * @throws ValidatorException if the certificate is distrusted
     */
-    static void checkDistrust(X509Certificate anchor,
-                              X509Certificate eeCert)
+    static void checkDistrust(X509Certificate[] chain)
                              throws ValidatorException {
-        String fp = (anchor instanceof X509CertImpl)
-                    ? ((X509CertImpl)anchor).getFingerprint("SHA-256")
-                    : X509CertImpl.getFingerprint("SHA-256", anchor);
-        if (FINGERPRINTS.contains(fp)) {
-            // reject if certificate is issued after April 16, 2019
-            Date notBefore = eeCert.getNotBefore();
+        X509Certificate anchor = chain[chain.length-1];
+        if (FINGERPRINTS.contains(fingerprint(anchor))) {
+            Date notBefore = chain[0].getNotBefore();
            LocalDate ldNotBefore = LocalDate.ofInstant(notBefore.toInstant(),
                                                        ZoneOffset.UTC);
-            if (ldNotBefore.isAfter(APRIL_16_2019)) {
-                throw new ValidatorException
-                    ("TLS Server certificate issued after " + APRIL_16_2019 +
-                     " and anchored by a distrusted legacy Symantec root CA: "
-                     + anchor.getSubjectX500Principal(),
-                     ValidatorException.T_UNTRUSTED_CERT, anchor);
+            // check if chain goes through one of the subCAs
+            if (chain.length > 2) {
+                X509Certificate subCA = chain[chain.length-2];
+                LocalDate distrustDate = EXEMPT_SUBCAS.get(fingerprint(subCA));
+                if (distrustDate != null) {
+                    // reject if certificate is issued after specified date
+                    checkNotBefore(ldNotBefore, distrustDate, anchor);
+                    return; // success
+                }
            }
+            // reject if certificate is issued after April 16, 2019
+            checkNotBefore(ldNotBefore, APRIL_16_2019, anchor);
+        }
+    }
+
+    private static String fingerprint(X509Certificate cert) {
+        return (cert instanceof X509CertImpl)
+               ? ((X509CertImpl)cert).getFingerprint("SHA-256")
+               : X509CertImpl.getFingerprint("SHA-256", cert);
+    }
+
+    private static void checkNotBefore(LocalDate notBeforeDate,
+            LocalDate distrustDate, X509Certificate anchor)
+            throws ValidatorException {
+        if (notBeforeDate.isAfter(distrustDate)) {
+            throw new ValidatorException
+                ("TLS Server certificate issued after " + distrustDate +
+                 " and anchored by a distrusted legacy Symantec root CA: "
+                 + anchor.getSubjectX500Principal(),
+                 ValidatorException.T_UNTRUSTED_CERT, anchor);
        }
    }

--- a/src/java.base/share/classes/sun/security/validator/Validator.java
+++ b/src/java.base/share/classes/sun/security/validator/Validator.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -274,9 +274,8 @@ public abstract class Validator {
            // redundant.
            boolean checkUnresolvedCritExts =
                    (type == TYPE_PKIX) ? false : true;
-            endEntityChecker.check(chain[0], parameter,
-                                   checkUnresolvedCritExts,
-                                   chain[chain.length-1]);
+            endEntityChecker.check(chain, parameter,
+                                   checkUnresolvedCritExts);
        }

        return chain;
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@ -1167,8 +1167,15 @@ jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep
 # of which represents a policy for determining if a CA should be distrusted.
 # The supported values are:
 #
-# SYMANTEC_TLS : Distrust TLS Server certificates anchored by
-#                a Symantec root CA and issued after April 16, 2019.
+#   SYMANTEC_TLS : Distrust TLS Server certificates anchored by a Symantec
+#   root CA and issued after April 16, 2019 unless issued by one of the
+#   following subordinate CAs which have a later distrust date:
+#     1. Apple IST CA 2 - G1, SHA-256 fingerprint:
+#        AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B
+#        Distrust after December 31, 2019.
+#     2. Apple IST CA 8 - G1, SHA-256 fingerprint:
+#        A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED
+#        Distrust after December 31, 2019.
 #
 # Leading and trailing whitespace surrounding each value are ignored.
 # Unknown values are ignored. If the property is commented out or set to the
--- a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java
+++ b/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -35,13 +35,15 @@ import jdk.test.lib.security.SecurityUtils;

 /**
 * @test
- * @bug 8207258
+ * @bug 8207258 8216280
 * @summary Check that TLS Server certificates chaining back to distrusted
 *          Symantec roots are invalid
 * @library /test/lib
 * @modules java.base/sun.security.validator
- * @run main/othervm Distrust true
- * @run main/othervm Distrust false
+ * @run main/othervm Distrust after policyOn invalid
+ * @run main/othervm Distrust after policyOff valid
+ * @run main/othervm Distrust before policyOn valid
+ * @run main/othervm Distrust before policyOff valid
 */

 public class Distrust {
@ -57,35 +59,67 @@ public class Distrust {
        "thawteprimaryrootcag3", "verisignclass3g3ca", "verisignclass3g4ca",
        "verisignclass3g5ca", "verisignuniversalrootca" };

+    // Each of the subCAs with a delayed distrust date have a test certificate
+    // chain stored in a file named "<subCA>-chain.pem".
+    private static String[] subCAsToTest = new String[] {
+        "appleistca2g1", "appleistca8g1" };
+
    // A date that is after the restrictions take affect
    private static final Date APRIL_17_2019 =
        Date.from(LocalDate.of(2019, 4, 17)
                           .atStartOfDay(ZoneOffset.UTC)
                           .toInstant());

+    // A date that is a second before the restrictions take affect
+    private static final Date BEFORE_APRIL_17_2019 =
+        Date.from(LocalDate.of(2019, 4, 17)
+                           .atStartOfDay(ZoneOffset.UTC)
+                           .minusSeconds(1)
+                           .toInstant());
+
+    // A date that is after the subCA restrictions take affect
+    private static final Date JANUARY_1_2020 =
+        Date.from(LocalDate.of(2020, 1, 1)
+                           .atStartOfDay(ZoneOffset.UTC)
+                           .toInstant());
+
+    // A date that is a second before the subCA restrictions take affect
+    private static final Date BEFORE_JANUARY_1_2020 =
+        Date.from(LocalDate.of(2020, 1, 1)
+                           .atStartOfDay(ZoneOffset.UTC)
+                           .minusSeconds(1)
+                           .toInstant());
+
    public static void main(String[] args) throws Exception {

        cf = CertificateFactory.getInstance("X.509");
-        boolean distrust = args[0].equals("true");
-        if (!distrust) {
-            // disable policy
+
+        boolean before = args[0].equals("before");
+        boolean policyOn = args[1].equals("policyOn");
+        boolean isValid = args[2].equals("valid");
+
+        if (!policyOn) {
+            // disable policy (default is on)
            Security.setProperty("jdk.security.caDistrustPolicies", "");
        }

+        Date notBefore = before ? BEFORE_APRIL_17_2019 : APRIL_17_2019;
+
        X509TrustManager pkixTM = getTMF("PKIX", null);
        X509TrustManager sunX509TM = getTMF("SunX509", null);
        for (String test : rootsToTest) {
            System.err.println("Testing " + test);
            X509Certificate[] chain = loadCertificateChain(test);

-            testTM(sunX509TM, chain, !distrust);
-            testTM(pkixTM, chain, !distrust);
+            testTM(sunX509TM, chain, notBefore, isValid);
+            testTM(pkixTM, chain, notBefore, isValid);
        }

        // test chain if params are passed to TrustManager
        System.err.println("Testing verisignuniversalrootca with params");
        testTM(getTMF("PKIX", getParams()),
-               loadCertificateChain("verisignuniversalrootca"), !distrust);
+               loadCertificateChain("verisignuniversalrootca"),
+               notBefore, isValid);

        // test code-signing chain (should be valid as restrictions don't apply)
        System.err.println("Testing verisignclass3g5ca code-signing chain");
@ -95,6 +129,16 @@ public class Distrust {
        // set validation date so this will still pass when cert expires
        v.setValidationDate(new Date(1544197375493l));
        v.validate(loadCertificateChain("verisignclass3g5ca-codesigning"));
+
+        // test chains issued through subCAs
+        notBefore = before ? BEFORE_JANUARY_1_2020 : JANUARY_1_2020;
+        for (String test : subCAsToTest) {
+            System.err.println("Testing " + test);
+            X509Certificate[] chain = loadCertificateChain(test);
+
+            testTM(sunX509TM, chain, notBefore, isValid);
+            testTM(pkixTM, chain, notBefore, isValid);
+        }
    }

    private static X509TrustManager getTMF(String type,
@ -122,12 +166,13 @@ public class Distrust {
    }

    private static void testTM(X509TrustManager xtm, X509Certificate[] chain,
-                               boolean valid) throws Exception {
+                               Date notBefore, boolean valid) throws Exception {
        // Check if TLS Server certificate (the first element of the chain)
-        // is issued after April 16, 2019 (should be rejected unless distrust
-        // property is false). To do this, we need to fake the notBefore date
-        // since none of the test certs are issued after then.
-        chain[0] = new DistrustedTLSServerCert(chain[0], APRIL_17_2019);
+        // is issued after the specified notBefore date (should be rejected
+        // unless distrust property is false). To do this, we need to
+        // fake the notBefore date since none of the test certs are issued
+        // after then.
+        chain[0] = new DistrustedTLSServerCert(chain[0], notBefore);

        try {
            xtm.checkServerTrusted(chain, "ECDHE_RSA");
--- a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/appleistca2g1-chain.pem
+++ b/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/appleistca2g1-chain.pem
@ -0,0 +1,80 @@
+-----BEGIN CERTIFICATE-----
+MIIGGzCCBQOgAwIBAgIITJltLCqcD0gwDQYJKoZIhvcNAQELBQAwYjEcMBoGA1UE
+AxMTQXBwbGUgSVNUIENBIDIgLSBHMTEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBB
+dXRob3JpdHkxEzARBgNVBAoTCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE5
+MDEwODIxMTcxNFoXDTIwMDgwODIxMjcwMFowgaoxSjBIBgNVBAMMQWFjdGl2ZS5n
+ZW90cnVzdC1nbG9iYWwtY2EudGVzdC1wYWdlcy5jZXJ0aWZpY2F0ZW1hbmFnZXIu
+YXBwbGUuY29tMSUwIwYDVQQLDBxtYW5hZ2VtZW50OmlkbXMuZ3JvdXAuODY0ODU5
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMQswCQYD
+VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCjFUrVHTEX
+0aVU6x9LiGa6oVr9blaCsMFrLicPQguc43Vs/pN+g4jzRXsTSMe9XefezBQb6tzZ
+SMRXVB4kWMr4K1BVgQDkXeyoh4KrXRkdEF9ZIJPNxwTmmYUOc5M6NOYwkLelYz+t
+7n1iNIGylbjwU4qwauElk2alFVqYTEPDLzwvqVDb9jMAJ8MPSDjfUlXW0XD9oXZM
+hC+8LU9JBgJ3YBdzRHa4WnrudUbWjspqaNfAYpVIX0cfCJKnMsKqaSKjS4pIRtWm
+L6NlCTCoIMyOh+wmbWPPX24H2D3+ump5FA35fRYbVznmosl5n1AK34S9tD4XZ7lO
+WZKfaFi1liMCAwEAAaOCAoowggKGMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU
+2HqURHyQcJAWnt0XnAFEA4bWKikwfgYIKwYBBQUHAQEEcjBwMDQGCCsGAQUFBzAC
+hihodHRwOi8vY2VydHMuYXBwbGUuY29tL2FwcGxlaXN0Y2EyZzEuZGVyMDgGCCsG
+AQUFBzABhixodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLWFwcGxlaXN0Y2Ey
+ZzEwMTBMBgNVHREERTBDgkFhY3RpdmUuZ2VvdHJ1c3QtZ2xvYmFsLWNhLnRlc3Qt
+cGFnZXMuY2VydGlmaWNhdGVtYW5hZ2VyLmFwcGxlLmNvbTCB/wYDVR0gBIH3MIH0
+MIHxBgoqhkiG92NkBQsEMIHiMIGkBggrBgEFBQcCAjCBlwyBlFJlbGlhbmNlIG9u
+IHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5j
+ZSBvZiBhbnkgYXBwbGljYWJsZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2Ug
+YW5kL29yIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wOQYIKwYB
+BQUHAgEWLWh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5
+L3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwNwYDVR0fBDAwLjAs
+oCqgKIYmaHR0cDovL2NybC5hcHBsZS5jb20vYXBwbGVpc3RjYTJnMS5jcmwwHQYD
+VR0OBBYEFP0qkmFJhArI0MsfW0V+/wY9x4GSMA4GA1UdDwEB/wQEAwIFoDANBgkq
+hkiG9w0BAQsFAAOCAQEATjT8M0bIq+mFc8k5cd4KDjCMBjYl/l3/8zKlWYGP+nl1
+KRogXcGRa3LcfpdJcqgMrx8e9Xohduvl8MBzwv671rYkppzZdsmZdLVorAdbL5GL
+suhTjAS5yL3NBWNMRpeOgFsVr7YtPDEvo3CFsnzjg7THe0S6Y35oYukJtUzGUvSY
+kC3ApBTdjj0vAeow+dbt+AHKnQiEnon4ToSFmtnkru08Uxe7uyHCQ2sLUg0EPYc9
+t9I8lviaHfK/mQoCzlme2O/H5Rher8dXCv8hVT1NKbsi28EpgpqcTLS+hn/Edc/q
+4dPDoO1Ozs+ixRzFeMpA+JrnAyARb6qbSrAPBgtIbQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEQDCCAyigAwIBAgIDAjp0MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
+MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
+YWwgQ0EwHhcNMTQwNjE2MTU0MjAyWhcNMjIwNTIwMTU0MjAyWjBiMRwwGgYDVQQD
+ExNBcHBsZSBJU1QgQ0EgMiAtIEcxMSAwHgYDVQQLExdDZXJ0aWZpY2F0aW9uIEF1
+dGhvcml0eTETMBEGA1UEChMKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQk6EdR0MgFrILa+vD1bTox5jN896/
+6E3p4zaAB/xFG2p8RYauVtOkCX9hDWtdflJrfbTIOcT0Zzr3g84Zb4YvfkV+Rxxn
+UsqVBV3iNlGFwNRngDVvFd0+/R3S/Y80UNjsdiq+49Pa5P3I6ygClhGXF2Ec6cRZ
+O0LcMtEJHdqm0UOG/16yvIzPZtsBiwKulEjzOI/96jKoCOyGl1GUJD5JSZZT6Hmh
+QIHpBbuTlVH84/18EUv3ngizFUkVB/nRN6CbSzL2tcTcatH8Cu324MUpoKiLcf4N
+krz+VHAYCm3H7Qz7yS0Gw4yF/MuGXNY2jhKLCX/7GRo41fCUMHoPpozzAgMBAAGj
+ggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4E
+FgQU2HqURHyQcJAWnt0XnAFEA4bWKikwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV
+HQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2cuc3ltY2IuY29t
+L2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYS
+aHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEG
+CCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3Bz
+MA0GCSqGSIb3DQEBCwUAA4IBAQAWR3NvhaJi4ecqdruJlUIml7xKrKxwUzo/MYM9
+PByrmuKxXRx2GqA8DHJXvtOeUODImdZY1wLqzg0pVHzN9cLGkClVo28UqAtCDTqY
+bQZ4nvBqox0CCqIopI3CgUY+bWfa3j/+hQ5CKhLetbf7uBunlux3n+zUU5V6/wf0
+8goUwFFSsdaOUAsamVy8C8m97e34XsFW201+I6QRoSzUGwWa5BtS9nw4mQVLunKN
+QolgBGYq9P1o12v3mUEo1mwkq+YlUy7Igpnioo8jvjCDsSeL+mh/AUnoxphrEC6Y
+XorXykuxx8lYmtA225aV7LaB5PLNbxt5h0wQPInkTfpU3Kqm
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
+MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
+YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
+EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
+R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
+9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
+fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
+iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
+1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
+MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
+ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
+uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
+Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
+tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
+PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
+hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
+5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
+-----END CERTIFICATE-----
--- a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/appleistca8g1-chain.pem
+++ b/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/appleistca8g1-chain.pem
@ -0,0 +1,64 @@
+-----BEGIN CERTIFICATE-----
+MIIElDCCBDqgAwIBAgIIWax3IY1ByGIwCgYIKoZIzj0EAwIwYjEcMBoGA1UEAwwT
+QXBwbGUgSVNUIENBIDggLSBHMTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBBdXRo
+b3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE5MDEw
+ODIxMTAyNFoXDTIwMDgwODIxMjAwMFowga0xTTBLBgNVBAMMRGFjdGl2ZS5nZW90
+cnVzdC1nbG9iYWwtY2EtZzIudGVzdC1wYWdlcy5jZXJ0aWZpY2F0ZW1hbmFnZXIu
+YXBwbGUuY29tMSUwIwYDVQQLDBxtYW5hZ2VtZW50OmlkbXMuZ3JvdXAuODY0ODU5
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMQswCQYD
+VQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN4oxNLGzmOIfgFRxDaU
+SaOYTQVZCc7a7MXlK1L4/KgN22stgSkrg47aOWviMuzb9Q9hDA/Tn19o9Zr8G5ON
+pYijggKMMIICiDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMPEpFgFY9eDBrqW
+jdyyjzL2u7dBMH4GCCsGAQUFBwEBBHIwcDA0BggrBgEFBQcwAoYoaHR0cDovL2Nl
+cnRzLmFwcGxlLmNvbS9hcHBsZWlzdGNhOGcxLmRlcjA4BggrBgEFBQcwAYYsaHR0
+cDovL29jc3AuYXBwbGUuY29tL29jc3AwMy1hcHBsZWlzdGNhOGcxMDEwTwYDVR0R
+BEgwRoJEYWN0aXZlLmdlb3RydXN0LWdsb2JhbC1jYS1nMi50ZXN0LXBhZ2VzLmNl
+cnRpZmljYXRlbWFuYWdlci5hcHBsZS5jb20wgf4GA1UdIASB9jCB8zCB8AYKKoZI
+hvdjZAULBDCB4TCBpAYIKwYBBQUHAgIwgZcMgZRSZWxpYW5jZSBvbiB0aGlzIGNl
+cnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgYW55
+IGFwcGxpY2FibGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlIGFuZC9vciBj
+ZXJ0aWZpY2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMDgGCCsGAQUFBwICMCwM
+Kmh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5LzAdBgNV
+HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwNwYDVR0fBDAwLjAsoCqgKIYmaHR0
+cDovL2NybC5hcHBsZS5jb20vYXBwbGVpc3RjYThnMS5jcmwwHQYDVR0OBBYEFCQy
+hU8U00tcIz6L0MCT6EGVho0EMA4GA1UdDwEB/wQEAwIDiDAKBggqhkjOPQQDAgNI
+ADBFAiAl5nGHi2u8V0aJSp4o1i3TlK7ao8WvxwBuHKfuKibSLAIhAN8PZqhESS9u
+V7Dr6qzs88yn/1z6oeqPwDsntFpUFtWG
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAtugAwIBAgIQE1Iuv8HdXOEe8nZAdR/n3zAKBggqhkjOPQQDAzCBmDEL
+MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChj
+KSAyMDA3IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2
+MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
+eSAtIEcyMB4XDTE2MDYwOTAwMDAwMFoXDTMxMDYwODIzNTk1OVowYjEcMBoGA1UE
+AwwTQXBwbGUgSVNUIENBIDggLSBHMTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBB
+dXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAELVSOaLAQE+/0LdvYCbJD6J1lmW40uNSXyY7J
+1qgiNzLIcWDusPHyxWT2ukdf/OYHeDIt9sqAIMn9cPhykyGIRaOCATowggE2MBIG
+A1UdEwEB/wQIMAYBAf8CAQAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2cuc3lt
+Y2IuY29tL0dlb1RydXN0UENBLUcyLmNybDAOBgNVHQ8BAf8EBAMCAQYwLgYIKwYB
+BQUHAQEEIjAgMB4GCCsGAQUFBzABhhJodHRwOi8vZy5zeW1jZC5jb20wSQYDVR0g
+BEIwQDA+BgZngQwBAgIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2VvdHJ1
+c3QuY29tL3Jlc291cmNlcy9jcHMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
+BwMCMB0GA1UdDgQWBBTDxKRYBWPXgwa6lo3cso8y9ru3QTAfBgNVHSMEGDAWgBQV
+XzVXUVX7JbKtA2n8AaP6vhFV1TAKBggqhkjOPQQDAwNnADBkAjBH2jMNybjCk3Ts
+OidXxJX9YDPMd5S3KDCv8vyTdJGhtoly7fQJRNv5rnVz+6YGfsMCMEp6wyheL7NK
+mqavsduix2R+j1B3wRjelzJYgXzgM3nwhQKKlJWxpF7IGHuva1taxg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICrjCCAjWgAwIBAgIQPLL0SAoA4v7rJDteYD7DazAKBggqhkjOPQQDAzCBmDEL
+MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChj
+KSAyMDA3IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2
+MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
+eSAtIEcyMB4XDTA3MTEwNTAwMDAwMFoXDTM4MDExODIzNTk1OVowgZgxCzAJBgNV
+BAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykgMjAw
+NyBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNV
+BAMTLUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH
+MjB2MBAGByqGSM49AgEGBSuBBAAiA2IABBWx6P0DFUPlrOuHNxFi79KDNlJ9RVcL
+So17VDs6bl8VAsBQps8lL33KSLjHUGMcKiEIfJo22Av+0SbFWDEwKCXzXV2juLal
+tJLtbCyf691DiaI8S0iRHVDsJt/WYC69IaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBVfNVdRVfslsq0DafwBo/q+EVXVMAoG
+CCqGSM49BAMDA2cAMGQCMGSWWaboCd6LuvpaiIjwH5HTRqjySkwCY/tsXzjbLkGT
+qQ7mndwxHLKgpxgceeHHNgIwOlavmnRs9vuD4DPTCF+hnMJbn0bWtsuRBmOiBucz
+rD6ogRLQy7rQkgu2npaqBA+K
+-----END CERTIFICATE-----