8198240: Allow cacerts test to pass when GTECyberTrust root expires

Implemented expiry policy exception list Reviewed-by: mullan
2018-04-13 09:37:01 -07:00 · 2018-04-13 09:37:01 -07:00 · fbf1478b8f
commit fbf1478b8f
parent 19581edca2
1 changed files with 177 additions and 168 deletions
--- a/test/jdk/lib/security/cacerts/VerifyCACerts.java
+++ b/test/jdk/lib/security/cacerts/VerifyCACerts.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -23,7 +23,7 @@

 /**
 * @test
- * @bug 8189131
+ * @bug 8189131 8198240
 * @requires java.runtime.name ~= "OpenJDK.*"
 * @summary Check root CA entries in cacerts file
 */
@ -40,14 +40,13 @@ public class VerifyCACerts {
            = System.getProperty("java.home") + File.separator + "lib"
            + File.separator + "security" + File.separator + "cacerts";

-    private static final String BASE = System.getProperty("test.src", "./");
-
    // The numbers of certs now.
    private static final int COUNT = 80;

    // map of cert alias to SHA-256 fingerprint
    private static final Map<String, String> FINGERPRINT_MAP
-            = new HashMap<String, String>() {{
+            = new HashMap<String, String>() {
+        {
            put("actalisauthenticationrootca [jdk]",
                    "55:92:60:84:EC:96:3A:64:B9:6E:2A:BE:01:CE:0B:A8:6A:64:FB:FE:BC:C7:AA:B5:AF:C1:55:B3:7F:D7:60:66");
            put("buypassclass2ca [jdk]",
@ -208,7 +207,14 @@ public class VerifyCACerts {
                    "F1:C1:B5:0A:E5:A2:0D:D8:03:0E:C9:F6:BC:24:82:3D:D3:67:B5:25:57:59:B4:E7:1B:61:FC:E9:F7:37:5D:73");
            put("xrampglobalca [jdk]",
                    "CE:CD:DC:90:50:99:D8:DA:DF:C5:B1:D2:09:B7:37:CB:E2:C1:8C:FB:2C:10:C0:FF:0B:CF:0D:32:86:FC:1A:A2");
-    }};
+        }
+    };
+
+    // Exception list to 90 days expiry policy
+    private static final HashSet<String> EXPIRY_EXC_ENTRIES
+            = new HashSet<String>(Arrays.asList(
+                    "gtecybertrustglobalca [jdk]"
+            ));

    // Ninety days in milliseconds
    private static final long NINETY_DAYS = 7776000000L;
@ -278,8 +284,11 @@ public class VerifyCACerts {
            // that cert can be scheduled to be removed/renewed.
            Date notAfter = cert.getNotAfter();
            if (notAfter.getTime() - System.currentTimeMillis() < NINETY_DAYS) {
+                if (!EXPIRY_EXC_ENTRIES.contains(alias)) {
                    atLeastOneFailed = true;
-                System.err.println("WARNING: cert will expire within 90 days");
+                    System.err.println("ERROR: cert \"" + alias + "\" expiry \""
+                            + notAfter.toString() + "\" will expire within 90 days");
+                }
            }
        }