JDK-8362455 : Test test/jdk/sun/security/ssl/SignatureScheme/MD5NotAllowedInTLS13CertificateSignature.java correction
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 25
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2025-07-17
  • Updated: 2025-08-08
  • Resolved: 2025-08-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
tbdResolved
Related Reports
Causes :  
JDK-8350807 - Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled
Duplicate :  
JDK-8359956 - Support algorithm constraints and certificate checks in SunX509 key manager
Description
It is observed that method (customCertificateBuilder) in test class test/jdk/sun/security/ssl/SignatureScheme/MD5NotAllowedInTLS13CertificateSignature.java needs a correction. 

While creating a certificate with validity params of notBefore and notAfter, instead the certificate is created notAfter both the times. However the test is passing in main because internally if "notBefore" is NULL, the variable is assigned to default value whereas in LTS versions the same is not available (which means "notBefore is NULL which throws NPE exception). The same is corrected while doing backport however the code is still available in main.

Main line code :

 private static CertificateBuilder customCertificateBuilder(
            String subjectName, PublicKey publicKey, PublicKey caKey)
            throws CertificateException, IOException {
        SecureRandom random = new SecureRandom();

        CertificateBuilder builder = new CertificateBuilder()
                .setSubjectName(subjectName)
                .setPublicKey(publicKey)
                .setNotAfter(
                        Date.from(Instant.now().minus(1, ChronoUnit.HOURS)))
                .setNotAfter(Date.from(Instant.now().plus(1, ChronoUnit.HOURS)))
                .setSerialNumber(
                        BigInteger.valueOf(random.nextLong(1000000) + 1))
                .addSubjectKeyIdExt(publicKey)
                .addAuthorityKeyIdExt(caKey);
        builder.addKeyUsageExt(
                new boolean[]{true, true, true, true, true, true});

        return builder;
    }

Observe the below lines of code 
 .setNotAfter(Date.from(Instant.now().minus(1, ChronoUnit.HOURS)))
 .setNotAfter(Date.from(Instant.now().plus(1, ChronoUnit.HOURS)))
Comments
Only issues associated with changesets should be closed as "Fixed". This issue should be closed as a duplicate of: JDK-8359956 Support algorithm constraints and certificate checks in SunX509 key manager
08-08-2025
Hi [~abarashev], Not been aware of this and since it is addressed as part of other bug https://bugs.openjdk.org/browse/JDK-8359956. I will close this bug. Thank you.
25-07-2025
Hi [~ksreenath]! Good catch! I actually have noticed this also already and fixed it in this PR (currently being reviewed): https://github.com/openjdk/jdk/pull/25016 Not sure if we should address it as a separate issue.
24-07-2025