trustAnchors parameter must be non-empty

Tue Jun 5 05:41:22 PDT 2012

Just found this old thread.

cacerts for openjdk-osx-build will now use Mozilla CA Certs and
bundled them in its DMG.

Cheers

2012/3/4 Scott Kovatch <scott.kovatch at oracle.com>:
> Okay, I'll have a look at it. I thought it might be there, but I wasn't replying from my work laptop so I couldn't check.
>
> It probably looks at libdeploy because that was the easiest place I could think of to put the native code, and that already linked against the Security framework.
>
> -- Scott
>
> On Mar 4, 2012, at 11:00 AM, Mike Swingler wrote:
>
>> Scott, the RootCertExtractor.java you originally wrote is in Apple's private drop of Deploy under src/make/macosx/tools. I'm not sure why it does a native System.load() of libdeploy.jnilib, but perhaps it's not longer required.
>>
>> If this code could make it's way into jdk/make/tools, and get run from the JDK makefiles that would totally rock. ;-)
>>
>> Cheers,
>> Mike Swingler
>> Apple Inc.
>>
>> On Mar 4, 2012, at 9:40 AM, Scott Kovatch wrote:
>>
>>> As Mike correctly points out, copying the cacerts file is a short-term solution.
>>>
>>> Each licensee is responsible for obtaining their own set of root certificates for distribution. This was true when Apple was a licensee of Java, which is why we exported the root certificates from the keychain and put them in the cacerts file that gets distributed with Apple's JDK. OpenJDK, in that sense, is just another licensee.
>>>
>>> Oracle distributions of JDK 7 will have a full set of root certificates, the same ones distributed on all other platforms.
>>>
>>> If someone wanted to contribute the code and scripts for extracting the root CAs from the current OS's 'System Roots' keychain I should be able to integrate it post-7u4.
>>>
>>> -- Scott K.
>>>
>>> On Mar 3, 2012, at 10:29 PM, Mike Swingler wrote:
>>>
>>>> As a workaround, you can just copy the cacerts files from Java SE 6 into your OpenJDK bundle, but that is not a permanent solution.
>>>>
>>>> Long term, this is an issue that needs to be authoritatively addressed by Oracle - either by providing a cacerts file, or providing steps to generate one from the native platform. For Java SE 6, we derive the list from the list of root CAs in the Keychain...perhaps this process could be automated when building OpenJDK on the Mac.
>>>>
>>>> Regards,
>>>> Mike Swingler
>>>> Apple Inc.
>>>>
>>>> On Mar 3, 2012, at 4:50 PM, Mark Derricutt wrote:
>>>>
>>>>> I've see this same issue when using the maven-changes-plugin to generate a
>>>>> change log, the source of the problem I was seeing was when using JavaMail,
>>>>> however it occurred both on OpenJDK/OSX on my machine, and on a coworkers
>>>>> Ubuntu machine ( I'm not sure if he was using OpenJDK or the official
>>>>> Oracle Java7 tho ).
>>>>>
>>>>> Unable to see that issue you link as well...
>>>>>
>>>>>
>>>>> --
>>>>> "Great artists are extremely selfish and arrogant things" — Steven Wilson,
>>>>> Porcupine Tree
>>>>>
>>>>>
>>>>> On Sun, Mar 4, 2012 at 12:38 PM, Michael Hall <mik3hall at gmail.com> wrote:
>>>>>
>>>>>> Running into this...
>>>>>> Caused by: java.security.InvalidAlgorithmParameterException: the
>>>>>> trustAnchors parameter must be non-empty
>>>>>>
>>>>>> trying to use some Google data stuff.
>>>>>> Appears to be the same error as...
>>>>>> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7145128
>>>>>> but that is closed as a duplicate to 7114062 which for some reason I can't
>>>>>> look at?
>>>>>> This bug is not available.
>>>>>>
>>>>>>
>>>>
>>>
>>
>