JDK-8222089 : [TESTBUG] sun/security/lib/cacerts/VerifyCACerts.java fails due to cert within 90-day expiry window
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 12,13
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2019-04-08
  • Updated: 2019-08-14
  • Resolved: 2019-04-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 JDK 13 JDK 7 JDK 8 Other
11.0.4-oracleFixed 12.0.2Fixed 13 b16Fixed 7u231Fixed 8u221Fixed openjdk8u222Fixed
Related Reports
Relates :  
Description
Test: sun/security/lib/cacerts/VerifyCACerts.java

----------System.err:(14/925)----------
ERROR: cert "certplusclass3pprimaryca [jdk]" expiry "Sat Jul 06 16:59:59 PDT 2019" will expire within 90 days
ERROR: cert "certplusclass2primaryca [jdk]" expiry "Sat Jul 06 16:59:59 PDT 2019" will expire within 90 days
java.lang.Exception: At least one cacert test failed
	at VerifyCACerts.main(VerifyCACerts.java:321)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:567)
	at com.sun.javatest.regtest.agent.MainActionHelper$AgentVMRunnable.run(MainActionHelper.java:298)
	at java.base/java.lang.Thread.run(Thread.java:835)
Comments
Fix Request The same as for jdk12u goes for jdk11u. The patch applies cleanly.
10-04-2019

Fix Request Requesting approval to backport this test-only fix to 12u. The test is currently failing due to 2 root certs that are soon to expire within 90 days. The test has been modified to temporarily allow these roots to pass the test until we can remove or replace them. Patch applies cleanly.
09-04-2019

We need to contact the root CA vendor (DocuSign) to see if there are replacements for these root CAs or if it is ok to remove them. In the meantime, I will modify the test to make an exception for these 2 roots so that the test passes.
08-04-2019