JDK-8234245 : sun/security/lib/cacerts/VerifyCACerts.java fails due to wrong checksum
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 14
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2019-11-15
  • Updated: 2022-06-27
  • Resolved: 2019-11-15
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 Other
11.0.6Fixed 13.0.2Fixed 14 b24Fixed openjdk8u252Fixed
Related Reports
Relates :  
JDK-8232019 - Add LuxTrust certificate updates to the existing root program
Relates :  
JDK-8246385 - sun/security/lib/cacerts/VerifyCACerts.java one more failure due to wrong checksum
Description
* Reproduce
```
make test TEST="sun/security/lib/cacerts/VerifyCACerts.java"  CONF=server-release
```

* Symptom
```
STDERR:
ERROR: wrong checksum
DE:71:94:6D:6C:5B:2A:AE:5C:AC:D1:3E:07:23:B6:43:CB:F7:32:69:32:04:36:9C:B4:11:78:6A:49:9D:C5:AB
Expected checksum
C7:BE:67:B5:2E:35:17:5E:95:3E:61:68:F8:CF:D0:FB:7F:21:63:91:1E:C2:4D:A2:FE:1B:D4:D4:FA:86:52:7E
java.lang.Exception: At least one cacert test failed
        at VerifyCACerts.main(VerifyCACerts.java:345)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:564)
        at com.sun.javatest.regtest.agent.MainActionHelper$AgentVMRunnable.run(MainActionHelper.java:298)
        at java.base/java.lang.Thread.run(Thread.java:833)

JavaTest Message: Test threw exception: java.lang.Exception
JavaTest Message: shutting down test
```

* It might be fixed by
```
diff -r 6f42d2a19117 test/jdk/sun/security/lib/cacerts/VerifyCACerts.java
--- a/test/jdk/sun/security/lib/cacerts/VerifyCACerts.java      Fri Nov 15 11:09:29 2019 +0100
+++ b/test/jdk/sun/security/lib/cacerts/VerifyCACerts.java      Fri Nov 15 19:32:55 2019 +0800
@@ -57,7 +57,7 @@
     // SHA-256 of cacerts, can be generated with
     // shasum -a 256 cacerts | sed -e 's/../&:/g' | tr '[:lower:]' '[:upper:]' | cut -c1-95
     private static final String CHECKSUM
-            = "C7:BE:67:B5:2E:35:17:5E:95:3E:61:68:F8:CF:D0:FB:7F:21:63:91:1E:C2:4D:A2:FE:1B:D4:D4:FA:86:52:7E";
+            = "DE:71:94:6D:6C:5B:2A:AE:5C:AC:D1:3E:07:23:B6:43:CB:F7:32:69:32:04:36:9C:B4:11:78:6A:49:9D:C5:AB";

     // map of cert alias to SHA-256 fingerprint
     @SuppressWarnings("serial")
```
Comments
Fix Request (8u): Needed for merge with 8u242. Patch applies cleanly now JDK-8193255 & JDK-8225392 is in place.
14-02-2020
Fix request (11u, 13u): Request to backport this patch together with JDK-8232019 to add the new LuxTrust certificate to the OpenJDK root certificate store. This fixes an issue after JDK-8232019, so it needs to be included. Patch applies cleanly.
20-11-2019
URL: https://hg.openjdk.java.net/jdk/jdk/rev/52752425712c User: weijun Date: 2019-11-15 13:17:01 +0000
15-11-2019
RFR: https://mail.openjdk.java.net/pipermail/security-dev/2019-November/020906.html
15-11-2019