Cacerts generation patch for IcedTea6 HEAD

Pavel Tisnovsky ptisnovs at redhat.com
Tue Dec 21 03:09:09 PST 2010 

Hi all,

I've created patch for cacerts generation prepared for IcedTea6 HEAD.
This patch is heavily based on DJ Lucas's patch (thank you very much!)
but I had to apply three changes:

1) I had to change the lines where the patch is applied to Makefile.am
due to several changes in this file (it's understandable as the original
patch is quite old and it's been prepared for older IcedTea version)

1) DEBUG_BUILD_OUTPUT_DIR macro is used instead of BUILD_OUTPUT_DIR when
cacerts are about to be generated for debug build of IcedTea6 (already
approved by DJ Lucas)

2) I also changed the decision logic which determinates whether the
certificates have to be generated from one .crt file or from an existing
list of .pem files. This ensures correct work in case when only file
containing certificates is installed (this is RHEL 5 and RHEL 6 case:
/etc/ssl/certs/ca-bundle.crt)



I also tried to run JTReg against unpatched and patched IcedTea6. Here
is diff:

--- jtreg-summary.log	2010-12-21 11:28:45.063780000 +0100
+++ /home/brq/ptisnovs/1/cacerts_patch/jtreg2/jtreg-summary.log
2010-12-21 11:28:45.574802000 +0100
@@ -10,15 +10,16 @@
 Error:
java/lang/management/MemoryMXBean/CollectionUsageThresholdConcMarkSweepGC.sh
 Error:  java/net/InetAddress/CheckJNI.java
 Error:  java/net/ipv6tests/UdpTest.java
-FAILED: java/net/URL/TestHttps.java
 Error:  java/nio/channels/SocketChannel/Connect.java
 FAILED: java/nio/charset/Charset/NIOCharsetAvailabilityTest.java
 FAILED: javax/swing/JLabel/6501991/bug6501991.java
+FAILED: lib/security/cacerts/VerifyCACerts.java
 FAILED: sun/java2d/cmm/ColorConvertOp/ColConvCCMTest.java
 FAILED: sun/java2d/cmm/ColorConvertOp/ColConvDCMTest.java
 FAILED: sun/java2d/cmm/ColorConvertOp/MTColConvTest.java
 FAILED: sun/nio/cs/Test4200310.sh
 FAILED: sun/nio/cs/TestSJIS0213.java
+FAILED: sun/security/rsa/TestCACerts.java
 Error:  sun/security/ssl/javax/net/ssl/NewAPIs/SessionTimeOutTests.java
 FAILED: sun/security/validator/CertReplace.java
-Test results: passed: 3,323; failed: 13; error: 5
+Test results: passed: 3,322; failed: 14; error: 5

It's great to see that TestHttps test passed on patched IcedTea, but I'm
not sure why VerifyCACerts and TestCACerts tests failed. It seems that
some certificates are not properly loaded to JVM but I'm not cert. guru
- Lucas don't you know how to solve this? (Could this have anything to
do with NSS?)



Contents of tarball:

jtreg_wo_patch - JTreg results for not patched IcedTea6
jtreg_with_patch - JTreg results for patched IcedTea6 (+ log file
generated by TestCACerts regression test)
jtreg_diffs - diff files generated for above directories
Makefile.am - new contents of Makefile.am with path applied
hg_diff - hg diff generated against recent IcedTea6



>From my point of view: when the two JTreg failures will be resolved, it
is IMHO ok to add this patch to IcedTea6. I welcome all comments of course.

Cheers
Pavel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cacerts_patch.tar.bz2
Type: application/x-bzip2
Size: 51173 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20101221/b00b0e5a/cacerts_patch.tar.bz2

More information about the distro-pkg-dev mailing list