8350498: Remove two Camerfirma root CA certificates

Backport-of: 4c6dec6

Author: Nibedita Jena

src/java.base/share/classes/sun/security/validator/CamerfirmaTLSPolicy.java

@@ -43,26 +43,14 @@ final class CamerfirmaTLSPolicy {
 
     private static final Debug debug = Debug.getInstance("certpath");
 
-    // SHA-256 certificate fingerprints of distrusted roots
-    private static final Set<String> FINGERPRINTS = Set.of(
-        // cacerts alias: camerfirmachamberscommerceca
-        // DN: CN=Chambers of Commerce Root,
-        //     OU=http://www.chambersign.org,
-        //     O=AC Camerfirma SA CIF A82743287, C=EU
-        "0C258A12A5674AEF25F28BA7DCFAECEEA348E541E6F5CC4EE63B71B361606AC3",
-        // cacerts alias: camerfirmachambersca
-        // DN: CN=Chambers of Commerce Root - 2008,
-        //     O=AC Camerfirma S.A., SERIALNUMBER=A82743287,
-        //     L=Madrid (see current address at www.camerfirma.com/address),
-        //     C=EU
-        "063E4AFAC491DFD332F3089B8542E94617D893D7FE944E10A7937EE29D9693C0",
-        // cacerts alias: camerfirmachambersignca
-        // DN: CN=Global Chambersign Root - 2008,
-        //     O=AC Camerfirma S.A., SERIALNUMBER=A82743287,
-        //     L=Madrid (see current address at www.camerfirma.com/address),
-        //     C=EU
-        "136335439334A7698016A0D324DE72284E079D7B5220BB8FBD747816EEBEBACA"
-    );
+    // SHA-256 certificate fingerprint of distrusted root for TLS
+    // cacerts alias: camerfirmachambersca
+    // DN: CN=Chambers of Commerce Root - 2008,
+    //     O=AC Camerfirma S.A., SERIALNUMBER=A82743287,
+    //     L=Madrid (see current address at www.camerfirma.com/address),
+    //     C=EU
+    private static final String FINGERPRINT =
+            "063E4AFAC491DFD332F3089B8542E94617D893D7FE944E10A7937EE29D9693C0";
 
     // Any TLS Server certificate that is anchored by one of the Camerfirma
     // roots above and is issued after this date will be distrusted.
@@ -85,7 +73,7 @@ static void checkDistrust(X509Certificate[] chain)
             throw new ValidatorException("Cannot generate fingerprint for "
                 + "trust anchor of TLS server certificate");
         }
-        if (FINGERPRINTS.contains(fp)) {
+        if (FINGERPRINT.equalsIgnoreCase(fp)) {
             Date notBefore = chain[0].getNotBefore();
             LocalDate ldNotBefore = LocalDate.ofInstant(notBefore.toInstant(),
                                                         ZoneOffset.UTC);

src/java.base/share/data/cacerts/camerfirmachamberscommerceca

@@ -28,7 +28,7 @@
  *      8223499 8225392 8232019 8234245 8233223 8225068 8225069 8243321 8243320
  *      8243559 8225072 8258630 8259312 8256421 8225081 8225082 8225083 8245654
  *      8305975 8304760 8307134 8295894 8314960 8317373 8317374 8318759 8319187
- *      8321408 8316138 8341057 8303770
+ *      8321408 8316138 8341057 8303770 8350498
  * @summary Check root CA entries in cacerts file
  */
 import java.io.ByteArrayInputStream;
@@ -47,12 +47,12 @@ public class VerifyCACerts {
             + File.separator + "security" + File.separator + "cacerts";
 
     // The numbers of certs now.
-    private static final int COUNT = 111;
+    private static final int COUNT = 109;
 
     // SHA-256 of cacerts, can be generated with
     // shasum -a 256 cacerts | sed -e 's/../&:/g' | tr '[:lower:]' '[:upper:]' | cut -c1-95
     private static final String CHECKSUM
-            = "F1:A9:C7:FE:48:ED:D7:AF:84:C8:9D:C3:88:8D:A3:C8:45:E5:37:4D:B9:18:86:97:AE:CF:6D:41:E6:0E:FB:1B";
+            = "BD:6B:AB:BB:17:87:0D:D5:8D:53:D3:63:A5:DD:70:57:0F:4E:D3:57:4F:E5:FB:05:41:1C:A9:6E:B0:BF:79:38";
 
     // Hex formatter to upper case with ":" delimiter
     private static final HexFormat HEX = HexFormat.ofDelimiter(":").withUpperCase();
@@ -69,10 +69,6 @@ public class VerifyCACerts {
                     "ED:F7:EB:BC:A2:7A:2A:38:4D:38:7B:7D:40:10:C6:66:E2:ED:B4:84:3E:4C:29:B4:AE:1D:5B:93:32:E6:B2:4D");
             put("camerfirmachambersca [jdk]",
                     "06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0");
-            put("camerfirmachambersignca [jdk]",
-                    "13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA");
-            put("camerfirmachamberscommerceca [jdk]",
-                    "0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3");
             put("certumca [jdk]",
                     "D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24");
             put("certumtrustednetworkca [jdk]",

src/java.base/share/data/cacerts/camerfirmachambersignca

@@ -21,17 +21,19 @@
  * questions.
  */
 
+import javax.net.ssl.X509TrustManager;
 import java.io.File;
 import java.security.Security;
-import java.time.*;
-import java.util.*;
-import javax.net.ssl.*;
+import java.time.LocalDate;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
+import java.util.Date;
 
-/**
+/*
  * @test
- * @bug 8346587
+ * @bug 8346587 8350498
  * @summary Check that TLS Server certificates chaining back to distrusted
- *          Camerfirma roots are invalid
+ *          Camerfirma root are invalid
  * @library /test/lib
  * @modules java.base/sun.security.validator
  * @run main/othervm Camerfirma after policyOn invalid
@@ -42,21 +44,19 @@
 
 public class Camerfirma {
 
-    private static final String certPath = "chains" + File.separator + "camerfirma";
+    private static final String CERT_PATH = "chains" + File.separator + "camerfirma";
 
     // Each of the roots have a test certificate chain stored in a file
     // named "<root>-chain.pem".
-    private static String[] rootsToTest = new String[] {
-            "camerfirmachamberscommerceca", "camerfirmachambersca",
-            "camerfirmachambersignca"};
+    private static final String ROOT_TO_TEST = "camerfirmachambersca";
 
     // Date after the restrictions take effect
     private static final ZonedDateTime DISTRUST_DATE =
             LocalDate.of(2025, 04, 16).atStartOfDay(ZoneOffset.UTC);
 
     public static void main(String[] args) throws Exception {
 
-        // All of the test certificates are signed with SHA-1 so we need
+        // All the test certificates are signed with SHA-1, so we need
         // to remove the constraint that disallows SHA-1 certificates.
         String prop = Security.getProperty("jdk.certpath.disabledAlgorithms");
         String newProp = prop.replace(", SHA1 jdkCA & usage TLSServer", "");
@@ -70,6 +70,6 @@ public static void main(String[] args) throws Exception {
         };
 
         Date notBefore = distrust.getNotBefore(DISTRUST_DATE);
-        distrust.testCertificateChain(certPath, notBefore, tms, rootsToTest);
+        distrust.testCertificateChain(CERT_PATH, notBefore, tms, ROOT_TO_TEST);
     }
 }