[security-dev 01702]: Re: Please review new regression test for java.net.* API
Andrew John Hughes
ahughes at redhat.com
Thu Mar 18 15:04:40 UTC 2010
On 18 March 2010 14:57, Christopher Hegarty -Sun Microsystems Ireland
<Christopher.Hegarty at sun.com> wrote:
> Pavel Tisnovsky wrote:
>>
>> Christopher Hegarty -Sun Microsystems Ireland wrote:
>>>
>>> Alan Bateman wrote:
>>>>
>>>> Pavel Tisnovsky wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> please review new regression test for java.net.* API. This test check
>>>>> if the cacerts keytool database is configured properly and SSL is really
>>>>> working. The test should not fail if SSL is working (in other case it simply
>>>>> throws IOException). Webrev si available at
>>>>> http://cr.openjdk.java.net/~ptisnovs/TestHttps/
>>>>>
>>>>> Thanks in advance
>>>>> Pavel Tisnovsky
>>>>
>>>> I suspect the dependency on verisign.com will be problematic. Isn't SSL
>>>> already covered by the javax.net and https tests?
>>>
>>> I'm not sure what the prime motivation of the test is. Pavel, can you
>>> please elaborate?
>>>
>>> Reading between the lines I guess the test is verifying that the correct
>>> root Certification Authority is installed in cacerts, i.e. the cert from
>>> www.verisign.com can be validated.
>>
>> Hi Chris, you guessed correctly :-) And we can use other URL if
>> verisign.com is problematic.
>
> OK, so the test is trying to validate cacerts.
>
> Does it make sense to validate this certificate store in a general purpose
> regression test? The test will of course pass with Sun's priority build and
> probably RedHats too, since they contain the root certificate for verisign,
> but an OpenJDK build will not contain it, right? So the test will fail.
>
> Security folk:
> Do we currently have any tests with a dependency on cacerts?
>
> -Chris.
>
>
>>
>>>
>>> Alan is correct there are already tests for SSL/Https in javax.net, but I
>>> believe these use self signed certs, no dependency on cacerts.
>>>
>>> -Chris.
>>>
>>>>
>>>> -Alan.
>>
>
Yes, it will fail.
>From an OpenJDK build:
$ /mnt/builder/jdk7/j2sdk-image/bin/java TestHttps
Exception in thread "main" javax.net.ssl.SSLException:
java.lang.RuntimeException: Unexpected error:
java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty
This has been posted about before; OpenJDK currently can't bootstrap
itself because it doesn't have a working cacerts store (the JAXP URL
uses https).
I don't know how to solve this; we can certainly have the cacerts file
populated on GNU/Linux systems, but I don't have a clue how you'd do
it on Solaris or Windows. How do Sun populate it? Can that be shared?
--
Andrew :-)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
More information about the security-dev
mailing list