Code review request: 8011402: Move blacklisting certificate logic from hard code to data

Weijun Wang weijun.wang at oracle.com
Fri Sep 6 13:30:45 UTC 2013


Hi Sean

Please review the code changes at

   8011402: Move blacklisting certificate logic from hard code to data

Hard coded blacklisted certificates are moved out of the class file and 
now inside a data file. Furthermore, only their fingerprints are 
released in the JRE. The makefile covers blacklist files in both open 
and closed repo.

No regression test, cleanup.

*build-dev*, I am not an export of Makefile, and I have some questions:

1. I create a new macro (or function?) called cat-files. Its only 
difference from install-file is that it needs to deal with two inputs. 
Do we already have a similar macro somewhere?

2. cat-files is defined inside CopyFiles.gmk right beside its usage. Do 
you think it's better to define it in a common file?

3. Most important: it only works if both $(BLACKLISTED_CERTS_SRC_OPEN) 
and $(BLACKLISTED_CERTS_SRC_CLOSED) already exists. Currently there is 
no closed blacklist, but I still have to create an empty file there. 
Otherwise, there will be

make[2]: *** No rule to make target 
`/space/repos/jdk8/tl/jdk/src/closed/share/lib/security/blacklisted.certs', 
needed by 
`/space/repos/jdk8/tl/build/macosx-x86_64-normal-server-release/jdk/lib/security/blacklisted.certs'. 
  Stop.

Is there a way to make it work without adding that empty file?

Thanks
Max



More information about the security-dev mailing list