[Bug 150] truststore settings in hotspot

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Tue Jun 10 14:29:15 PDT 2008 

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=150





------- Comment #4 from nitya.doraisamy at sun.com  2008-06-10 21:29 -------
Looking at the patch : 
Need to check this /etc/pki/tls/certs/ca-bundle.crt ... 

According to Andrew John Hughes, this file may not exist on all icedtea
platforms, and should be more carefully reviewed by the IcedTea community. 

The two key values are never actually used: "/etc/pki/tls/certs/ca-bundle.crt"
and "CertBundle".

This also breaks the PKCS11 provider code, which depends on NONE in trustStore
key value.

For max interoperability, the order of trust files consulted should be the
following:
    javax.net.ssl.trustStore
    <java-home>/lib/ext/jssecacerts
    /etc/pki/tls/certs/ca-bundle.crt
        Need to check if this file exists.  I think this is a LINUX
        only file, and may not exist on all icedtea platforms!
    <java-home>/lib/ext/cacerts

You could reverse the order of the jssecacerts and ca-bundle.crt.  But people
may be expecting jssecacerts to be there given the long history of this file.
This is an arch decision that should be reviewed among the IcedTea
participants.

Something like :

   if (storeFileName != null) {
       // javax.net.ssl.trustStore was set.
       storeFile = new File(storeFileName);
       fis = getFileInputStream(storeFile);
   } else {
       // fallbacks
       String javaHome = props.get("javaHome");
       storeFile = new File(javaHome + sep + "lib" + sep
                                       + "security" + sep +
                                       "jssecacerts");
       if (!storeFile.canRead()) {
           storeFile = new File("/etc/pki/tls/certs/ca-bundle.crt");
           if (storeFile.canRead()) {
               // Need to do something to set the
               // trustStoreType below to "CertBundle"
               ...
           } else {
               storeFile = new File(javaHome + sep + "lib" + sep
                                       + "security" + sep +
                                       "cacerts");
           }
       }
       fis = getFileInputStream(storeFile);
   }


-- 
Configure bugmail: http://icedtea.classpath.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the distro-pkg-dev mailing list