[8u] RFR: 8189131: Open-source the Oracle JDK Root Certificates (Integration for JEP 319: Root Certificates)

Andrew John Hughes gnu.andrew at redhat.com
Tue May 14 13:26:42 UTC 2019 

On 07/05/2019 15:15, Langer, Christoph wrote:
> Ping: can I please have a review for this?
> 
> From: Langer, Christoph
> Sent: Donnerstag, 2. Mai 2019 14:55
> To: 'jdk8u-dev at openjdk.java.net' <jdk8u-dev at openjdk.java.net>; security-dev <security-dev at openjdk.java.net>
> Subject: [8u] RFR: 8189131: Open-source the Oracle JDK Root Certificates (Integration for JEP 319: Root Certificates)
> 
> Hi,
> 
> as was already discussed and requested on the mailing lists ([0], [1]), I hereby propose a change to add the root certificates of upstream OpenJDK to OpenJDK 8 updates.
> 
> The main bug that (initially) brought the Oracle certificates to OpenJDK is 8189131: Open-source the Oracle JDK Root Certificates [2]. My proposed change will also backport all updates to the contents of cacerts since then:
> 
> 8191844: Remove SECOM root (secomevrootca1)
> 8189949: Remove Baltimore Cybertrust Code Signing CA
> 8191031: Remove several Symantec Root CAs
> 8196141: Add GoDaddy root certificates
> 8204923: Restore Symantec root verisignclass2g2ca
> 8195774: Add Entrust root certificates
> 8199779: Add T-Systems, GlobalSign and Starfield services root certificates
> 8209506: Add Google Trust Services GlobalSign root certificates
> 8210432: Add additional TeliaSonera root certificate
> 8195793: Remove GTE CyberTrust Global Root
> 8216577: Add GlobalSign's R6 Root certificate
> 8222137: Remove T-Systems root CA certificate
> 
> Please find the webrev here: http://cr.openjdk.java.net/~clanger/webrevs/8189131.8u/
> 
> I took the current state of cacerts from the jdk/jdk repo along with the provided testcases and brought them down to the jdk8 repository layout.
> 
> To make the test run in JDK8, I had to
> a) modify test/sun/security/lib/cacerts/VerifyCACerts.java:
>   240     private static final HashSet<String> EXPIRY_EXC_ENTRIES = new HashSet<String>() {
> I needed to add the String type to the constructor of the HashSet, since the JDK8 java compiler will not accept <> in that place.
> 
> b) modify test/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithParams.java
> 
>   60     private static final String CACERTS_STORE = System.getProperty("test.jdk")
> 
>   61             + FS + "jre" + FS + "lib" + FS + "security" + FS + "cacerts";
> I needed to adapt the path to cacerts in a JDK8 JDK/JRE as it is located in subdirectory jre there.
> 
> Out of the tests in test/security/infra/java/security/cert/CertPathValidator/certification, there are 2 failing:
> FAILED: security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java
> FAILED: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java
> However, for jdk/jdk it is the same. JBS Issues for these tests exist and are yet unresolved: JDK-8202651 and JDK-8215546.
> 
> Since the tests don't seem to be part of any tier, I propose to include them in this backport and later on also backport possible fixes to them.
> 
> Thanks
> Christoph
> 
> [0] https://mail.openjdk.java.net/pipermail/security-dev/2019-March/019557.html
> [1] https://mail.openjdk.java.net/pipermail/security-dev/2019-April/019733.html
> [2] https://bugs.openjdk.java.net/browse/JDK-8189131
> 

Sorry for the slow response. I've built up a bit of a backlog with the
recent public holidays here in the UK.

It doesn't look like there's much to review here, given the main content
of the patch is binary. Thanks for referencing all the imported bugs.
Let's get it in and then we can work out any remaining issues once it's
in the repos for people to play around with.

As to testing, you should be able to direct jtreg to the
jdk/test/security/infra subdirectory to run just these tests. That's how
I ran the calendar ones.

Thanks,
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
https://keybase.io/gnu_andrew

More information about the jdk8u-dev mailing list