[security-dev 01725]: Re: Please review new regression test for java.net.* API

Sean Mullan Sean.Mullan at Sun.COM
Mon Mar 22 08:41:07 PDT 2010


Andrew John Hughes wrote:
> On 18 March 2010 21:12, Christopher Hegarty -Sun Microsystems Ireland
> <Christopher.Hegarty at sun.com> wrote:
>> Andrew John Hughes wrote:
>>> On 18 March 2010 20:56, Christopher Hegarty -Sun Microsystems Ireland
>>> <Christopher.Hegarty at sun.com> wrote:
>>>> Brad, Pavel, Andrew,
>>>>
>>>> I'm also not comfortable with this test, but what bothers me more than
>>>> the
>>>> reliance on an external server is the reliance on cacerts. While cacerts
>>>> (or
>>>> equivalent) is not part of OpenJDK I don't think it makes sense adding a
>>>> test to OpenJDK that has a reliance on it.
>>>>
>>>> For now I think is makes more sense to add a test like this to wherever
>>>> in
>>>> the build process cacerts (or equivalent) is added.
>>>>
>>> The problem is nothing does in the OpenJDK build process.  So SSL is
>>> always broken for OpenJDK builds.  Is this something we really want?
>> This is certainly not ideal, but is a separate issue to the test, right? It
>> seems Sean or someone in the security team should comment on the possibility
>> of adding root CA's to OpenJDK, until then I don't see any requirement for a
>> test.

I don't have an answer right now - this will take some more investigation first.

> My thoughts too.  We have a solution for GNU/Linux where cacerts is
> populated from the crt files found on the system (installed by Mozilla
> and the like).  I don't know what the equivalent would be for Windows
> and Solaris though.  A quick look on my OpenSolaris box didn't find
> any crt files but I only looked in installed packages.  I presume
> firefox may bring some in if it's available.

On Windows you can use the "Windows-ROOT" KeyStore type, ex:

keytool -list -keystore NONE -storetype Windows-ROOT

I haven't tried it, but you could probably use the keytool -importkeystore 
option to import all of these certs into the cacerts file.

On Solaris, you could use the /usr/java/jre/lib/security/cacerts file.


--Sean



More information about the security-dev mailing list