On Fri, 24 Apr 2026 16:01:51 GMT, Artur Barashev <[email protected]> wrote:
>> We need a unit test coverage for host wildcard matching as part of a TLS >> validation of the server's identity (`X509TrustManagerImpl.checkIdentity` >> call) >> >> >> --------- >> - [x] I confirm that I make this contribution in accordance with the >> [OpenJDK Interim AI Policy](https://openjdk.org/legal/ai). > > Artur Barashev has updated the pull request incrementally with one additional > commit since the last revision: > > Typo fix test/jdk/javax/net/ssl/ServerName/SNIWildcardMatching.java line 94: > 92: {"secret.foo.com", "secret1.foo.com"}, > 93: {"公司.江利子.net", "*公司.*.net"}, > 94: {"公司.江利子.example.net", "*.example.net"} RFC 6125 provides one invalid example that we could also test: `*.example.com` should not match `example.com` test/jdk/javax/net/ssl/ServerName/SNIWildcardMatching.java line 173: > 171: Certificate[] chain = new Certificate[2]; > 172: chain[0] = keyCertificate; > 173: chain[1] = trustedCertificate; The trusted certificate is usually not included in the chain. Remove? test/jdk/javax/net/ssl/ServerName/SNIWildcardMatching.java line 197: > 195: var caKeys = kpg.generateKeyPair(); > 196: serverKeys = kpg.generateKeyPair(); > 197: clientKeys = kpg.generateKeyPair(); did you intend to enable client authorization? Otherwise the client certs appear to be unused. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/30927#discussion_r3145777774 PR Review Comment: https://git.openjdk.org/jdk/pull/30927#discussion_r3145759166 PR Review Comment: https://git.openjdk.org/jdk/pull/30927#discussion_r3145764281
