[security-dev 01701]: Re: Please review new regression test for java.net.* API

[Sean Mullan]

Christopher Hegarty -Sun Microsystems Ireland wrote:
> Pavel Tisnovsky wrote:
>> Christopher Hegarty -Sun Microsystems Ireland wrote:
>>> Alan Bateman wrote:
>>>> Pavel Tisnovsky wrote:
>>>>> Hi,
>>>>>
>>>>> please review new regression test for java.net.* API. This test 
>>>>> check if the cacerts keytool database is configured properly and 
>>>>> SSL is really working. The test should not fail if SSL is working 
>>>>> (in other case it simply throws IOException). Webrev si available 
>>>>> at http://cr.openjdk.java.net/~ptisnovs/TestHttps/
>>>>>
>>>>> Thanks in advance
>>>>> Pavel Tisnovsky
>>>> I suspect the dependency on verisign.com will be problematic.  Isn't 
>>>> SSL already covered by the javax.net and https tests?
>>>
>>> I'm not sure what the prime motivation of the test is. Pavel, can you 
>>> please elaborate?
>>>
>>> Reading between the lines I guess the test is verifying that the 
>>> correct  root Certification Authority is installed in cacerts, i.e. 
>>> the cert from www.verisign.com can be validated.
>>
>> Hi Chris, you guessed correctly :-) And we can use other URL if 
>> verisign.com is problematic.
> 
> OK, so the test is trying to validate cacerts.
> 
> Does it make sense to validate this certificate store in a general 
> purpose regression test? The test will of course pass with Sun's 
> priority build and probably RedHats too, since they contain the root 
> certificate for verisign, but an OpenJDK build will not contain it, 
> right? So the test will fail.
> 
> Security folk:
>   Do we currently have any tests with a dependency on cacerts?

yes, but they would be in the closed tests.

--Sean