RFR: JDK-8225392: Comparison builds are failing due to cacerts file

Weijun Wang weijun.wang at oracle.com
Thu Jun 13 01:37:31 UTC 2019 


> On Jun 13, 2019, at 12:16 AM, Martin Buchholz <martinrb at google.com> wrote:
> 
> I'm not a security engineer, but:
> - consider creating static finals for e.g. "Mighty Aphrodite" just to give it a symbolic name.

That method is copied from JavaKeyStore.java. Keeping it 100% unchanged gives me more confidence I'm write the file correctly.

> - VerifyCACerts probably fails when the jdk is configured with a different cacerts file (but the JDK doesn't preserve configuration information - how could one fix it?)
> Many downstream organizations will configure a different cacerts.

I don't have a solution. Maybe in your repo you can @ignore this test.

Thanks,
Max

> 
> On Wed, Jun 12, 2019 at 8:42 AM Weijun Wang <weijun.wang at oracle.com> wrote:
> This is my version of the fix:
> 
>    http://cr.openjdk.java.net/~weijun/8225392/webrev.00/
> 
> Now you can still compare cacerts bit by bit.
> 
> Thanks,
> Max
> 
> > On Jun 12, 2019, at 10:50 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
> > 
> > Hi Erik,
> > 
> > Are you going to fix this bug soon?
> > 
> > I am inspired by Martin's words and would like to update GenerateCacerts.java so that as long as the certs and their aliases are unchanged, the output cacerts will always be the same. I can send out a code review today.
> > 
> > Thanks,
> > Max
> > 
> >> On Jun 12, 2019, at 10:59 AM, Weijun Wang <weijun.wang at oracle.com> wrote:
> >> 
> >> Good idea about the creation time.
> >> 
> >> --Max
> >> 
> >>> On Jun 12, 2019, at 10:53 AM, Martin Buchholz <martinrb at google.com> wrote:
> >>> 
> >>> Google culture really likes build output determinism, and we recently built our own cacerts generator.
> >>> 
> >>> To get determinism, we are using cert digest as alias (must have a unique alias, but value doesn't seem to matter much), and using cert notBefore instead of current (build) timestamp.
> >>> 
> >>> On Mon, Jun 10, 2019 at 12:40 PM Erik Joelsson <erik.joelsson at oracle.com> wrote:
> >>> Since JDK-8193255, when we started generating the cacerts file in the 
> >>> build, the build compare baseline builds have started failing. It seems 
> >>> the cacerts binary file has some non determinism built in so it doesn't 
> >>> get generated exactly the same given the same input. This patch adds 
> >>> special handling when comparing that file by comparing the output of 
> >>> "keytool -list" on the files instead.
> >>> 
> >>> Bug: https://bugs.openjdk.java.net/browse/JDK-8225392
> >>> 
> >>> Webrev: http://cr.openjdk.java.net/~erikj/8225392/webrev.01/
> >>> 
> >>> /Erik
> >>> 
> >> 
> > 
>

More information about the build-dev mailing list